The Norsk Hydro Attack — When Ransomware Shuts Down a Global Mining and Metals Giant

The Organization

Norsk Hydro ASA is a Norwegian multinational aluminum and renewable energy company, one of the largest aluminum producers in the world with operations across 40 countries including smelters, refineries, mining operations, and rolling mills. At the time of the attack, Hydro employed approximately 35,000 people and reported annual revenues of approximately NOK 159 billion (approximately CA$24 billion).

Hydro operated an extensive IT and OT infrastructure: enterprise resource planning systems managing global supply chains, industrial control systems running smelters and processing facilities, and a corporate network connecting offices, plants, and mine sites across dozens of countries. This was not a small resource company with a single operation — it was a globally integrated mining and metals conglomerate where IT and OT were deeply interconnected.

What Happened

On March 19, 2019, Norsk Hydro was hit by the LockerGoga ransomware — a destructive variant specifically designed to maximize operational damage. The attack began in the early morning hours and spread rapidly across Hydro’s global IT network, encrypting systems at offices, production facilities, and operations worldwide.

LockerGoga was unusually aggressive. Beyond encrypting files, it forcibly logged users out of their systems, changed passwords, and disabled network interfaces — making it significantly harder for IT teams to respond. Corporate IT systems went offline. Office computers across 40 countries were locked. And critically, the attack threatened to propagate into operational technology environments controlling smelting and production processes.

Hydro was forced to disconnect its global network to contain the spread. Production facilities switched to manual operations where possible. Smelter operations — which run 24/7 and cannot simply be “turned off” without risking equipment damage from cooling aluminum — continued under manual control, with operators physically monitoring processes that are normally computer-controlled. Some plants reduced output; others continued at full capacity using manual overrides and paper-based procedures.

The initial compromise reportedly occurred via a phishing email that delivered the LockerGoga payload. The attackers then used Active Directory to push the ransomware across the enterprise — leveraging the same centralized management infrastructure that IT teams rely on for legitimate software deployment.

The Impact

Financial cost: Hydro publicly reported the attack cost approximately NOK 800 million (CA$120 million) in the first quarter alone, with total recovery costs estimated at NOK 1 billion+ (CA$150 million+). This included lost production, manual operations overhead, IT remediation, forensic investigation, and system rebuilding.

Operational disruption: 35,000 employees across 40 countries were affected. Production at Hydro’s Extruded Solutions division — the segment most dependent on IT systems — dropped to 50% of capacity. Smelter operations continued under manual control, but at reduced efficiency. The company estimated the production impact at 20-30% across affected facilities.

Recovery duration: Full IT recovery took months. Hydro rebuilt its entire IT infrastructure from the ground up, reimaging thousands of servers and workstations, rebuilding Active Directory, and restoring applications systematically. Some business systems took weeks to restore; full operational normalcy wasn’t achieved until well into the second half of 2019.

Hydro’s response was notable: The company refused to pay the ransom, chose full transparency by providing near-daily public updates, and rebuilt its infrastructure methodically. Hydro’s CIO publicly shared lessons learned, making the incident one of the most documented ransomware recoveries in industrial history.

Root Causes — What Went Wrong

1. Phishing Provided Initial Access to a Global Network

The attack began with a phishing email — the most common initial access vector in ransomware attacks. A single employee clicking a malicious attachment gave the attackers a foothold inside Hydro’s network. From that single point of entry, they escalated to enterprise-wide deployment. The gap wasn’t sophisticated — it was a human clicking a link in an environment without sufficient email security controls or endpoint detection to catch the payload.

2. Active Directory Became the Attack Delivery Platform

The attackers used Hydro’s own Active Directory infrastructure to deploy LockerGoga across the enterprise — the same mechanism IT uses for legitimate Group Policy-based software deployment. Once the attackers had domain admin credentials, AD became a weapon that delivered ransomware to every domain-joined machine simultaneously. The centralized management that makes enterprise IT efficient also makes it efficient for attackers.

3. IT/OT Connectivity Without Adequate Segmentation

The threat of ransomware propagation into OT environments controlling smelters and processing facilities forced Hydro to disconnect its global network. While Hydro successfully prevented direct OT compromise, the fact that the threat was credible enough to require emergency disconnection indicates that the IT/OT boundary was not sufficiently hardened. In aluminum smelting, an uncontrolled shutdown can cause molten aluminum to solidify in pots — destroying equipment worth millions and requiring months to restart.

4. Global Flat Network Enabled Rapid Spread

LockerGoga spread from the initial compromise point to operations in 40 countries within hours. This speed of propagation indicates a relatively flat network architecture where domain-level compromise provided access to systems globally. Network segmentation between regions, between business units, and between corporate and operational environments would have dramatically slowed or contained the spread.

What AlecTech Would Have Done Differently

The Norsk Hydro attack is the defining case study for OT/IT convergence risk in mining and metals. Here’s how AlecTech’s approach addresses each failure for Canadian mining and resource operations:

OT/IT Boundary Hardening with Industrial DMZ (Managed IT)

The intersection of corporate IT and operational technology is the critical boundary in mining operations. AlecTech architects this boundary with industrial DMZs — purpose-built network zones between IT and OT that allow necessary data flows (production reporting, equipment telemetry) while preventing direct connectivity between corporate systems and industrial controllers. When ransomware hits the corporate network, the OT environment continues operating because there is no network path from a domain-joined workstation to a PLC controlling a concentrator, a conveyor, or a ventilation system.

Active Directory Hardening & Tiered Administration (Managed IT + MDR)

Hydro’s AD became the ransomware deployment tool. We implement tiered Active Directory administration that prevents a single compromised credential from delivering payloads enterprise-wide: Tier 0 (domain controllers) is isolated and monitored with privileged access workstations, Tier 1 (servers) has separate admin credentials with no overlap, and Tier 2 (workstations) admin credentials cannot access any higher tier. Our SOC monitors for the specific AD abuse techniques LockerGoga used — mass Group Policy modifications, bulk password changes, and anomalous service deployments across multiple machines.

SCADA & ICS Continuity Planning (Managed IT + VCISO)

Hydro’s smelters ran manually during the attack because operators had the knowledge and the physical capability to do so. Not every mining operation has that fallback. AlecTech works with resource clients to develop and test OT continuity plans: documented procedures for operating critical processes during IT outages, regular drills with operations teams, independent control system backups, and communication plans that don’t depend on corporate email. When the corporate network goes dark, your processing facility, your ventilation systems, and your safety-critical equipment keep running.

Advanced Email Security & Phishing Resilience (MDR & SOC)

LockerGoga entered through email. We deploy multi-layered email security that catches payloads before they reach inboxes: sandboxing for attachments, URL rewriting and click-time analysis, AI-powered phishing detection, and — for mining companies where field workers may be less security-aware than corporate staff — targeted phishing simulation programs that build muscle memory for recognizing malicious messages. One click started a $150 million incident. Our goal is ensuring that click never results in payload execution.

The Numbers That Matter

Company	Norsk Hydro ASA (global aluminum producer)
Employees affected	35,000 across 40 countries
Financial impact (Q1 alone)	NOK 800M (~CA$120 million)
Estimated total cost	NOK 1B+ (~CA$150 million+)
Production impact	20-30% reduction; one division at 50% capacity
Recovery time	Months (full rebuild of IT infrastructure)
Ransom paid	$0 (Hydro refused to pay)
Initial access vector	Phishing email
Propagation method	Active Directory Group Policy abuse

Key Takeaway

Norsk Hydro is the most expensive and most transparent ransomware incident in the mining and metals sector. It cost over $150 million, disrupted operations in 40 countries, and took months to fully recover from — all because a single phishing email delivered a payload to a network where Active Directory could deploy it globally and the IT/OT boundary wasn’t hardened enough to guarantee operational safety. For every Canadian mining and resource company: your SCADA systems, your processing controls, and your safety-critical infrastructure are one poorly segmented network away from this scenario. The question is whether you’ll invest in preventing it or in recovering from it.