LockerGoga suspected in attacks on two chemical plants - echoes of Norsk Hydrochemical incident

News by Bradley Barth

Echoes of Norsk Hydrochemical attack in ransomnote and suspected LockerGoga at two US chemical companies hit by unspecified network security incident that blocked access to certain IT systems and data.

Just days after a ransomware attack disrupted operations at Norwegian aluminium company Norsk Hydro, two US-based chemical companies last Friday disclosed that they were affected by an unspecified network security incident that blocked access to certain IT systems and data.

Reports suggest the incidents could be the work of LockerGoga, the same malicious encryption program that infected Norsk Hydro on 18 March.

Columbus, Ohio-based Hexion, which specialises in thermset resins, and Waterford, NY-based MPM Holdings Inc (aka Momentive), which deals in silicons and advanced materials, both issued press releases on 22 March, acknowledging the attacks. Hexion and Momentive are controlled by the same public equity firm, Apollo Global Management.

Citing an anonymous current employee, Motherboard reports that the attacks against Hexion and Momentive happened on 12 March, six days before Hydro was hit. The report also says the language used in the ransom note received by Momentive was identical to the LockerGoga attack that followed.

In their respective releases, both US companies say that they have implemented their response and recovery plans, emphasising that the attack impacted primarily their corporate networks, with minimal interruptions to their manufacturing operations.

"When it discovered the incident, Hexion immediately took aggressive steps to isolate the issue by disabling certain systems and notifying the appropriate government authorities," the Hexion release states." This includes email systems, which were shut down for containment, the release explains.

Meanwhile, Momentive’s says in its release that the company "is working closely with external cyber-security experts to restore its affected information technology systems," adding that it will "continue to invest in information technology security to detect and minimise the risk of unauthorised activity, and ensure that it can continue providing specialised products and services to its global customers and suppliers.

Without specifying details, both companies say they have taken "additional precautionary measures to ensure the continued safe operations of its sites." They also say there is no evidence that any customer, supplier or employee information was impacted.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop