Hydro, Data Attack | Kripos believes it has cleared up the Hydro attack – has the identities of a number of suspects

Hydro, Data Attack | Kripos believes it has cleared up the Hydro attack – has the identities of a number of suspects
Hydro, Data Attack | Kripos believes it has cleared up the Hydro attack – has the identities of a number of suspects

– We believe that the case is essentially cleared up, in the sense that we roughly know what, how and who was behind it. But the case is still not over. Conviction is the goal. We are working to apprehend several key perpetrators. The goal is to have the cases brought to court in Ukraine and Switzerland, said operational prosecuting attorney Knut Jostein Sætnan on the Hydro case in Kripos during a seminar on Thursday.

A total of 56 suspects have so far been named and mapped – among them money launderers, cryptocurrency players who in such cases contribute to the mixing, exchange and payment of cryptocurrency.

Think they know who was behind it

The police believe they have identified five men who actually carried out the attack itself. It had been going on for three and a half months when an infected attachment in an e-mail hit brutally.

– These are the people we believe are grounds for prosecution for having carried out the attack, says Sætnan.

In addition, a handful of people are suspected of having contributed, by, among other things, having supplied services, malware and infrastructure that made the attack possible. These are people “with a clear criminal intention” who have had contact with the people that Kripos believes are central to the case.

Ransom demanded

Four years after the alarm went off at Hydro on Vækerø and at Kripos on Helsfyr, Sætnan was able to tell about the meticulous investigation that has led to the identification of a number of suspected perpetrators in Ukraine, as well as one Ukrainian resident in Switzerland. The spectacular ransom case paralyzed all digital communication and activity in Hydro for months in the spring and summer of 2019.

– This started in one of our factories in the USA. Subsequently, the virus has spread throughout the organization and affected several parts of the business both in the US and Europe, Hydro’s CFO Eivind Kallevik told NTB on the same day that the attack was a fact.

At the same time as the ransomware encrypted the files in Hydro’s worldwide computer system, the perpetrators demanded a ransom in exchange for the decryption key. The amount was to be paid in Bitcoin. Hydro management was to find out the size of that by contacting the perpetrators.

Only last autumn were the police able to hand over the encryption keys to Hydro. They were extracted from the servers of the person who lived in Switzerland.

Ukraine was the epicenter

– We quickly realized that Ukraine was an epicenter in this case, and that we had to get there in order to progress in the investigation, says Sætnan.

Two and a half years after the attack on Hydro, ten officials from Kripos campaigned on 26 October 2021. Together with 45 foreign and a hundred Ukrainian police officers, they entered 14 addresses in Ukraine and one in Switzerland.

The cyber unit at Kripos, NC3, led the investigation, which has taken place in collaboration with the police in France, Great Britain, Ukraine, as well as the United States, the Netherlands and Switzerland. The action in October two years ago resulted in Kripos taking 88 servers back to Norway to be analyzed in connection with the investigation.

– The case is still under investigation and there is a lot of work to be done. Among other things, we are working to arrest several perpetrators. The goal is to get convictions in Ukraine and Switzerland, Sætnan emphasizes.

The organized criminals behind the attack are suspected of being behind similar data attacks against 1,800 individuals and businesses in a total of 71 countries. After the action in 2021, several encryption keys were extracted, so that businesses that have been affected can get help to unlock the encryption and gain access to their data again. We are talking about both Norwegian and international businesses, according to Kripos.


  • Hydro discovered around midnight on the night of Tuesday 19 March that the company had been hit by a ransom virus. These encrypt information in companies’ computers, and demands are made for money to “unlock” the information again.
  • The attack first hit a business in the US, and it spread from there to other parts of the organization in the US and Europe. During Tuesday, the company succeeded in isolating all its factories and thereby minimizing the risk of further spread.
  • The virus knocked out the company’s global network, and the company had to use backup solutions for communication and administrative tasks in several places.
  • As a result of the computer attack, Hydro had to shut down production at some of the facilities that deal with “extruded solutions” and “rolled products”.
  • The aluminum works in Norway operated as normal, but with a higher degree of manual operation. Operations at Hydro Sunndal were also affected. The aluminum works outside Norway were not affected.

(© NTB)

also read

Parts of Hydro still at half-time after the data attack

also read

Hydro affected by encryption virus: Started at a factory in the USA

The article is in Norwegian

Tags: Hydro Data Attack Kripos believes cleared Hydro attack identities number suspects


PREV The war in Ukraine – Black Sea
NEXT Sophie Elise retires from the podcast with Fetisha Williams