Norsk Hydro Probe shows the slow pace of international ransomware cases

Norwegian aluminum producer

Norsk Hydro that’s why

We waited two and a half years for police to arrest suspected people who launched a devastating ransomware attack on the company in March 2019.

Eight countries were involved in the expansive investigation, and authorities detained 12 suspects in Ukraine and Switzerland in late October.

With the increasing frequency and scope of ransomware attacks, the United States and its allies have pledged close cooperation to track and stop ransomware groups. Discuss adjusting rules for cryptocurrencies, Used by hackers to carefully receive payments from victims.

Nevertheless, the Norsk Hydro caseline highlights the complex nature and often slow pace of international law enforcement investigations that must comply with strict legal requirements. In addition to Norway, Ukraine and Switzerland, the Norsk Hydro probe involved authorities from France, the Netherlands, Germany, the United Kingdom and the United States.

Prosecutors in Norway, France, the United Kingdom and Ukraine now evaluate the evidence collected and decide how to proceed.

Norwegian prosecutor Knut Jostein Saetnan.


NCIS Norway

“Cooperation with the International Police is very, very time consuming,” said Knut Jostein Setonan, a Norwegian prosecutor involved in the case.

When Norsk Hydro was attacked in 2019, it was shut down worldwide as the company moved to contain ransomware. A Norwegian investigator arrived at the office and gathered information about the hack.

Jo De Vliegher, Norsk Hydro’s chief information officer, said investigators at the time believed that hackers were pretending to be legitimate users on the company’s network to launch ransomware.

invader Entered the company system in December 2018 Via an infected email that appears to have been sent by a business partner. The attacker logged the employee out of the company’s system, making it impossible for them to work. Norsk Hydro said in March that the case cost between NOK 800 million and NOK 1 billion and is now worth $ 90 million to $ 112 million.

Norsk Hydro’s technology and cyber security staff were attacked and split into three groups. One worked on fixing problems caused by hacks, the other did forensic work on how it happened, and the third focused on restructuring technology, a spokesman said. Halvor Molland said.

Norsk Hydro easily shared the conclusions of the internal investigation with Norwegian investigators, Molland said. Still, Norwegian authorities had to wait for Norsk Hydro to restore the system, so more evidence was available from the company, Norwegian prosecutor Saetnan said.

He added that it became clear that the incident would probably take years.

Meanwhile, French investigators have found that the ransomware case they have been working on is related to the Norsk Hydro case and called for a combination of investigations, a European agency coordinating cross-border judicial work. Baudoin Thouvenot, France’s leading judge at Eurojust, said. ..

Eventually, more national authorities provided evidence from their jurisdiction.

At certain points, Norwegian authorities had to wait to receive the evidence, as some criminal law in the countries concerned required a court decision to share the evidence, Saetnan said. .. He said it happens frequently in international cases.

“When it comes to cybercrime, we’re actually blind without cooperation and information. [other] Country, “he said.

Warning to Norsk Hydro employees after a March 2019 cyberattack.


gwladys fouche / Reuters

Limited travel opportunities within the Covid-19 pandemic also delayed the incident. Officials often met at video conferences, but only talked directly about some sensitive information.

Cooperation eventually led to a police raid. Early in the morning of October 26, Ukrainian police broke into the suspect’s house and arrested 11 people. Swiss authorities arrested one person that day.

In The Hague, home of the Eurojust, a French judge, Thouvenot, called from 6 am to 7 pm to resolve legal issues. In other international cases, Thouvenot said police had appeared at the suspect’s house and found that he had left the country. In such cases, authorities need to promptly seek warrants and assistance in another jurisdiction. This time he said nothing like that happened.

Norwegian prosecutor Setonan said he spent a day at the cybercrime headquarters of the Ukrainian police in Kiev, working 13 or 14 hours waiting to hear about the seizure of evidence. Police have confiscated more than $ 52,000 in cash, five luxury cars, and some electronics, according to Europol, a European police agency. NS Video posted a few days after the attack Ukrainian police have shown that authorities are receiving laptops, tablets, mobile phones and cash in US dollars and euros.

WSJPro Cyber ​​Security Details

So far, Saetnan said his office has received only some of the evidence obtained from the device. Prosecutors must request evidence under the so-called Mutual Administrative Assistance Treaty with other countries. NS The process can take several months, Sometimes longer. This is because the judiciary and police stations that handle such requests are often delinquent.

De Vliegher, former CIO of Norsk Hydro, said he was relieved that the suspect had been arrested. Police and businesses “need to take this opportunity to understand how these people are working, their weaknesses, and how to find similar groups,” he said. rice field. DeVliegher, who left Norsk Hydro in August, is Istari Global Ltd, a cyber risk management company with offices in Singapore, the United Kingdom and the United States. Cyber ​​Security Executive Advisor.

“It is very important that this leads to a conviction, which is a deterrent to others,” he said. “We have to reach the point where cybercrime is punished.”

Write in Catherine Stupp at

Copyright © 2021 DowJones & Company, Inc. all rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Norsk Hydro Probe shows the slow pace of international ransomware cases

Source link Norsk Hydro Probe shows the slow pace of international ransomware cases

Back to top button