Norsk Hydro probe shows slow international ransomware cases

The sprawling investigation involved eight countries, which led to authorities detaining a dozen suspects in Ukraine and Switzerland at the end of October.

An increase in the frequency and scope of ransomware attacks has prompted the United States and its allies to pledge to cooperate closely to track and stop ransomware groups and to discuss crypto rule alignment. currency, which hackers use to quietly obtain payments from their victims.

Nonetheless, the timeline of the Norsk Hydro case highlights the complex nature and often slow pace of international law enforcement investigations, which must meet strict legal requirements. In addition to Norway, Ukraine and Switzerland, the Norsk Hydro probe involved authorities from France, the Netherlands, Germany, the United Kingdom and the United States.

Now, prosecutors in Norway, France, UK and Ukraine will assess the evidence gathered and decide what to do next.

“International police cooperation takes a long time,” said Knut Jostein Saetnan, a Norwegian prosecutor involved in the case.

When Norsk Hydro was hit in 2019, its operations around the world were halted as the company prepared to contain the ransomware. Norwegian investigators arrived at its offices to gather information on the hack.

Jo De Vliegher, then chief information officer of Norsk Hydro, said at the time that investigators discovered that hackers impersonated legitimate users on the company’s network to launch the ransomware.

The intruders entered the company’s system in December 2018 via an infected email that appeared to be from a business partner. The attackers disconnected employees from company systems, preventing them from working. Norsk Hydro said in March that the incident cost it between 800 million and 1 billion Norwegian kroner, which currently equates to between 90 and 112 million dollars.

Norsk Hydro’s tech and cybersecurity staff split into three groups in the wake of the attack. One worked to fix the issues caused by the hack, another did forensic work on how it happened, and the third focused on rebuilding the technology, the door said. -says Halvor Molland.

Norsk Hydro gladly shared the findings of its internal investigation with Norwegian investigators, Molland said. Yet Norwegian authorities had to wait for Norsk Hydro to restore their systems before they could get much of the evidence from the company, said Mr Saetnan, the Norwegian prosecutor.

It became clear that the case would likely take years, he added.

Meanwhile, French investigators realized that a ransomware case they were working on was linked to the Norsk Hydro incident, and asked to combine the investigations, said Baudoin Thouvenot, a judge who represents France at Eurojust. , the European agency which coordinates cross-border judicial work. .

Eventually, more national authorities provided evidence from their jurisdictions.

At times, Norwegian authorities were told they had to wait to receive evidence because the criminal laws of some of the countries involved required a court order to share evidence, Saetnan said. This happens frequently in international affairs, he said.

“When it comes to cybercrime, we are in fact blind without the cooperation and information received from [other] country, ”he said.

Limited travel options amid the Covid-19 pandemic also slowed the deal. Officials often met by videoconference, but discussed certain sensitive information only in person.

The collaboration ultimately led to police raids. In the early morning of October 26, Ukrainian police raided the homes of the suspects, apprehending 11. Swiss authorities made an arrest that day.

In The Hague, where Eurojust is based, Mr Thouvenot, the French judge, was on call from around 6 a.m. to 7 p.m. to help resolve any legal issues. In other international cases, Thouvenot said, police showed up at a suspect’s home to find that the person had left the country. In these cases, officials should quickly seek warrants and assistance in another jurisdiction. Nothing like that happened this time, he said.

Mr Saetnan, the Norwegian prosecutor, said he had spent the day at the Ukrainian Cybercrime Police Headquarters in Kiev, and had worked 13 or 14 hours, waiting to hear about seizures of evidence. Police confiscated more than $ 52,000 in cash, five luxury vehicles and several electronic devices, according to European police agency Europol. A video released days after the Ukrainian police raids showed authorities taking laptops, tablets, cellphones and money in US dollars and euros.

So far, Mr Saetnan said his office has only received some evidence obtained from the devices. Prosecutors have to make evidence requests under what are called mutual legal assistance treaties with other countries. The process can take months, sometimes longer, as the justice or police departments dealing with such requests are often late.

Mr De Vliegher, former IT director of Norsk Hydro, said he was relieved that suspects had been arrested. Police and businesses should “use this opportunity to better understand how these guys operate, understand their weaknesses and how similar groups could be found,” he said. Mr De Vliegher, who left Norsk Hydro in August, is an executive cybersecurity advisor at cyber risk management firm Istari Global Ltd., which has offices in Singapore, UK and US

“It is very important that it leads to convictions and that it has a chilling effect on others,” he said. “We have to get to the point where cybercrime is punishable.”

This story was posted from a feed with no text editing

To subscribe to Mint newsletters

* Enter a valid email address

* Thank you for subscribing to our newsletter.

Never miss a story! Stay connected and informed with Mint. Download our app now !!

Comments are closed.