Following the March ransomware attack at Norsk Hydro - more details emerge that are interesting both on a technical front; but also in the way in which an organisation's handling of a breach reflects positively or negatively on the reputation and standing of the firm itself.

The LockerGoga malware that appears to have been used in the attack has been seen elsewhere in campaigns targeting other specific organisations, as opposed to a generic approach. Interestingly it does not utilise functionality to spread of it's own accord - and would need to have first been introduced to a system by someone with prior access. From there it appears to have used a common vector of psexec to spread further within the IT and OT (Operational Technology) environments.

Disruption was severe enough for the company to need to resort to manual methods of handling the industrial processes, even drafting in retired staff to help machine-reliant teams to continue working. Total cost to the business is now north of £45million and continues to rise; however the fact that Norsk did not resort to paying the ransom and have been particularly transparent around their experience is to their credit.

For me the primary teaching point in this example is that in some cases I've seen, the typically hard-to-reach OT environment has been breached not by targeted, nation-state threat actors; but by collateral damage from a far more mundane source - something still easily prevented by granular visibility and controls at the IT/OT barrier.