It all started with a fake e-mail. Out of tune, but it is almost impossible to tell the difference from the genuine ones.

Four months later, one of the country’s largest companies are being crippled by a cyber-attack. It would take months to correct. The cost would be in the hundreds of millions of dollars. The company was the aluminium producer Norsk Hydro, which is a industribjässe of Sandvik’s size, and attack a type of attack on the utpressningsvirus targeted at large corporations and government agencies.

the Idea is basically straightforward: to Hack a large corporation. To encrypt all of its files. Demand a ransom to decrypt them.

does this Sound familiar? For several years now, similar to the utpressningsvirus have been directed against private individuals, who happen to click on a link and are struggling to get to see the bröllopsfilmer and private photo albums, taken as a hostage. When the targets are companies with billion turnover, then the stakes will be higher.

in other words, with an e-mail. Fake emails are a common way to lure the recipient to click on a link or download an infected file. It is, however, possible to uncover if you’re paying attention. But for now, it’s different. The attacker was not to fake a sender, but the cut across the mejlservern as he is, or if it was a good group to send real e-mails between members of staff.

on top of that, the ill-fated message, smögs in the middle of a conversation between two members of staff. They had already exchanged several e-mails, and presto, you got a, seemingly normal, but who cheated, the recipient will infect their computer with a virus-like program.
the Link for the graphic

In the investigation of the attack, it has come to be known as the initial infection.

“It is the first infection was not caught by any anti-virus software,” says Torstein Gimnes Are, head of information security at Norsk Hydro, when the ROTOR meets with him at the time of your stockholm visit.

This means that the computer isn’t updated. However, it can also be a sign that the hackers had knowledge of the unique security vulnerabilities that no one else will know about it, as in it säkerhetskretsar commonly referred to as a zero day. In such a case, it would indicate that the attackers were extremely sophisticated, with a large amount of resources.

it was a stepping stone. From there, hacked the computer, after the computer server and for the server. Orderly and discreetly worked, the attackers are on the network and established control.

it is Systematically working on, and for each part of the network, the the the installed the tool to scan for vulnerable systems. However, on each machine, and they could be installed in the utpressningsvirus, ready to re-encrypt the disk for a given command.

< Torstein Gimnes Are, head of information security at Norsk Hydro. Photo credit: Anders Vindegg

for three months, was lost on the attackers to be caught. Then, at midnight, on march 19, 2019, hit the the the the. Utpressningsvirusets the encryption is activated, and in an instant was the 2,700 pcs, and 500 servers to be unusable.

a Large share of Norsk Hydro’s activities came to an end. Early in the morning, the decision was made – all of the systems that could be turned off should be turned off. One of the first text message went out to people in key positions: ”We have been the victims of massive cyber attacks”, was opened there.

this was a need of 35,000 employees in 40 countries, you will be contacted, so no one had time to plug in the additional computers on the network, and the risk of the virus spreading further. And it needed to be done quickly. It’s just a shame that the it systems are down. When the employees came to work a few hours later, they were met by a handwritten sign: ”Highly of you in cyber-attacked”, to obey at a federal facility.

all over the world were affected. They were of all sorts of Mines in the Amazon basin, where the company is found on their raw material. Hydroelectric power plants that supply the energy-hungry aluminiumproduktionen power. The factories in which the manufacturing process takes place.

from the Manufacturing process could, in some cases, to go on, but just thanks to the fact that some of the information was written on a piece of paper. The employees describe it as the work of ”a blind alley”, but so did the economic loss was no less.

”a Hydro of you in the ” cyber-attacking”

the effect of putting your finger on how global a company that is the Hydro’s, Two days after the attack of 6,000 miners in Brazil to get their salaries. Their system for payroll had been wrapped in the attack, and after it had happened and trusted that the banks, not on any communications from the Hydro.

it was a rare and comprehensive. At the same time, it is not unique. In the past year, scores of companies, government agencies, and, not least, the hospital have been eliminated in the same way. Targeted attacks have been taking the files hostage, and the company is required to be provided for payment of the electronic currency bitcoin, in order to get them back, which makes it difficult, if not impossible, to find out who that is, in the end, the money.

the City of Atlanta, in the united states were among the hardest hit. Even as late as in the spring, and knocked Baltimore out of the. The list is a long one, and includes both private sector companies and public sector institutions. How much money is required vary. In some cases, a few tens of thousands of dollars, and in the other cases, up to a few million dollars, or even tens of millions of dollars.

There are no known examples of a targeted utpressningsattacker to the company or of its authorities, although many have been included in all previous waves of the utpressningsvirus, which is spread to all directions.

in the Cyber-security experts are describing it as a paradigm shift. Of the attacks on people’s computers, which were so common a few years ago, to the targeted attacks on large corporations. The information technology security company, Crowdstrike, has developed a special term for that: Big game hunting, big game hunting.

”Since the beginning of the year 2018 has been the broad, indiscriminate attacks of utpressningsvirus been dramatically reduced,” wrote the police in a caution, but at the same time observes, that ”losses have increased significantly”. In the clear: a reduction in suffering, but when it happens, so the damage to the larger one. Simply because the sacrifice is greater.

How many people are paying lösensumman not going to tell you. Probably some, but keep it a secret. Despite the fact that there is certain evidence, and a conclusion is given: the People behind the major attacks, has earned an enormous amount of money.

even before the Hydro was hit, the united states had identified two iranian men, who, according to the u.s. department of justice, is a behind-the-Samsam, a utpressningsvirus. A 34-year-old and a 27-year-old was tried in his absence because they are believed to have carried out the attack, the world, and still be there for some time. However, according to the indictment, the two, to municipalities, government agencies, and not least to hospitals in the united states – a total of more than 200 victims. The impact was no more than fair.

in A hospital in California, was forced to ask patients to turn to the door. In Atlanta, paralysed the courts, and the myndighetsfunktioner. Earnings for six billion dollars. However, according to the indictment, caused the injury of more than five times as much: $ 30 million, 300 million.

it has cost the us approximately double the amount of 600 million Norwegian kroner. Production costs, in order to restore the backups, and to smoke out the attackers from the network.

”Our code of conduct is to have a dialogue with the invaders, if any ransom.”

You have to ask the question: would it not have been reasonable to just pay for it? No, responds the chief of the security services Torstein Gimnes Are. According to him, didn’t even know the Hydro is how much the group was needed. No such contact was made, never.

” It’s in our ethics and company culture. Our code of conduct is to have a dialogue with the aggressors of any ransom.

” Well, we would have had to rebuild the entire it infrastructure of the new one. To pay for lösensumman hadn’t helped us out with that.

” I want to be clear: You will not have to pay. Firstly, for ethical reasons, we are not going to fund criminals. However, they must also bear in mind that, even if they are allowed to recover their data, so they are not in control of their systems.

”get control” is not a small thing. Even if lösensumman would unlock the encryption, the problem isn’t solved by a long shot. If the sophistication of hackers has taken control of thousands of computers that need to be gone through, cleaned, secured, and cause smoke out of. Otherwise, it is very easy for them to turn to the left.

before the Hydro was completely finished with the recovery process. First, in June, was able to completely relax. It was the last of the administrative system, which was the last time. The production, which had been on for a long period of time. The break was not longer, it can be attributed to two reasons: on the one hand, that the assailants never succeeded in hacking the machines, which are for the production, ”just” computers, and servers.

as Both a member of staff in another part of Europe, at a factory in belgium Lichtervelde. A person who has never really relied on the use of digital technology. A person who, just hours before the attack, the carefully had to put each and every one of the documents that would be needed, and put them in a binder.

A person who suddenly sat in on more information than any of the totally hacked it. Someone who is Torstein Gimnes Are now referring to as the hero of the day.

” He likes to be in paper only.

a Russian hacker is believed to have been hijacked by iranian hackers – attacked more than 35 countries.

the Suspected data breaches to the state’s payroll system.