The Norsk Hydro Masterclass: Why "Manual" is the Sexiest Word in OT Security

If you’ve spent any time reading the Hackopedia, you know I have a soft spot for "teachable moments". But the 2019 Norsk Hydro hack is different. Usually, these stories end with a quiet ransom payment or a company pretending it didn't happen.

Norsk Hydro did the opposite. They went dark, then they went loud, and then they went manual. It’s the ultimate case study in why your IT security is only as good as your OT (Operational Technology) resilience.

The Anatomy of the Blitz: LockerGoga

Technically speaking, this wasn't a sophisticated nation-state "Ocean’s Eleven" heist. It was a targeted, brute-force execution using a strain of ransomware called LockerGoga.

The breach started months earlier, not with a zero-day exploit, but with a weaponized email attachment from a trusted customer. Once the attackers had a foothold, they didn't just spray and pray. They moved laterally, captured administrative credentials, and targeted the Active Directory (AD) server.

By compromising AD, they turned Norsk Hydro’s own management tools against it. They used the system's "trusted" status to push the ransomware to over 22,000 computers and thousands of servers across 170 locations in 40 countries.

The "LockerGoga" Twist:

Unlike your garden-variety ransomware, LockerGoga didn't just encrypt files; it also deleted them. It went for the jugular by:

• Changing local and administrator passwords so IT teams couldn't log in to fix the mess.
• Disabling network adapters to isolate the machines.
• Logging off all users, effectively turning the monitors into expensive paperweights.

The Price of Integrity: $70 Million and Change

Most companies panic and pay. Norsk Hydro didn't. They refused to engage with the hackers, choosing instead to rebuild their entire infrastructure from scratch using backups.

The bill? Roughly $70 million (NOK 600-700 million).

But here is where the "cost" gets interesting. The vast majority of that wasn't for the IT recovery; it was lost margins. Their "Extruded Solutions" division, which makes everything from car parts to window frames, ground to a near halt. When you can’t access your order books or your automated production schedules, you can’t ship product.

Hackopedia Note: They were lucky. They had cyber insurance that covered a significant chunk of this, but more importantly, they had the "manual" knowledge to keep the lights on.

The Nightmare Scenario: What if they failed?

We talk about the $70 million loss as a disaster, but in the Hackopedia, we look at the "What Ifs." If Norsk Hydro hadn't been able to pivot to manual operations, we’d be talking about a multi-billion-dollar collapse.

1. The "Hard Metal" Disaster: In aluminum smelting, if the electricity or the control systems fail for more than a few hours, the liquid metal in the "pots" (electrolysis cells) cools and hardens. If that metal freezes, the pots are destroyed. We’re talking about billions of dollars in physical assets that would have to be jackhammered out and replaced.
2. The Supply Chain Domino: Norsk Hydro is a linchpin for the global automotive and construction industries. A total, prolonged failure would have stalled production lines for major car manufacturers across Europe and the US, leading to secondary lawsuits and economic ripples that make $70 million look like pocket change.
3. The Safety Crisis: If the hackers had successfully breached the Industrial Control Systems (ICS)—which, luckily, were segmented from the main IT network—they could have manipulated pressure valves or temperatures, leading to explosions or toxic leaks.

The BlastWave Takeaway

The Norsk Hydro story is a win for transparency, but it’s a warning for the rest of us. They survived because their OT teams knew how to use pen and paper, and because their ICS was just isolated enough to stay clean.

In today’s world, you can’t rely on "manual mode" forever. You need to make your network invisible to the attackers in the first place. If they can't see the Active Directory, they can't weaponize it.

Norsk Hydro gave us a masterclass in recovery. Now, it's our job to make sure we don't have to.

If you want to understand how AI is accelerating attacks—and what it takes to stop them before they start—join our upcoming webinar: https://www.blastwave.com/webinar/ai-in-the-ot-battlefield

‍

‍

— Cam Cullen, CMO of BlastWave & Author of the Hackopedia