Oslo police officers sprinted between buildings carrying hard drives on foot after a ransomware attack paralyzed Norsk Hydro in March 2019. The move came as investigators scrambled to secure evidence before hackers could erase traces of their intrusion. Police sources confirmed the disks contained logs and network snapshots critical to tracing the digital footprint left by the attackers.
A new study by Kripos, Norway’s national criminal investigation service, reveals how forensic teams pieced together the timeline of the attack. The research shows officers disconnected servers and workstations within hours of detecting the breach. Their immediate goal was to prevent data destruction while preserving the chain of custody for legal proceedings.
The attack deployed the LockerGoga ransomware, which encrypted files across Hydro’s global operations. Production lines halted in plants from Norway to Brazil, costing the aluminum giant an estimated $71 million in lost output and recovery costs. Investigators later linked the malware to a Russian cybercrime group known as Gold North.
Kripos’ report details how police coordinated with Hydro’s IT team to map the spread of the infection. They identified the initial access point as a compromised user account. Within 24 hours, officers had secured over 50 devices across Oslo and Porsgrunn, including executive laptops and factory control systems.
The study underscores the challenges of responding to supply chain attacks in critical infrastructure. It also highlights the need for rapid physical evidence collection when digital trails are at risk of being wiped.
Source: digi.no