Norwegian aluminum producer Norsk Hydro AS A waited 2½ years for police to apprehend people suspected of launching a crippling ransomware attack on the company in March 2019.

The sprawling investigation involved eight countries, leading authorities to detain a dozen suspects in Ukraine and Switzerland in late October.

An increase in the frequency and reach of ransomware attacks has prompted the U.S. and its allies to vow close cooperation to track and stop ransomware groups and discuss aligning rules on cryptocurrency, which hackers use to discreetly obtain payments from their victims.

Still, the timeline of the Norsk Hydro case highlights the complex nature and often slow pace of international law-enforcement investigations, which have to follow strict legal requirements. Besides Norway, Ukraine and Switzerland, the Norsk Hydro probe involved authorities from France, the Netherlands, Germany, the U.K. and the U.S.

Now, prosecutors in Norway, France, the U.K. and Ukraine will assess the evidence collected and decide how to proceed.

“International police cooperation is very, very time-consuming,” said Knut Jostein Saetnan, a Norwegian prosecutor involved in the case.

When Norsk Hydro was hit in 2019, its operations around the world were halted as the company moved to contain the ransomware. Norwegian investigators arrived at its offices to gather information about the hack.

Jo De Vliegher, then Norsk Hydro’s chief information officer, said at the time that investigators figured out the hackers had posed as legitimate users on the company’s network to launch the ransomware.

The intruders entered the company’s system in December 2018 through an infected email that appeared to come from a business partner. Attackers logged employees out of company systems, making it impossible for them to work. Norsk Hydro said in March that the incident cost it between 800 million and 1 billion Norwegian kroner, currently equivalent to between $90 million and $112 million.

Technology and cybersecurity staff at Norsk Hydro split into three groups following the attack. One worked to fix problems caused by the hack, another did forensic work into how it occurred and the third focused on rebuilding technology, said spokesman Halvor Molland.

Norsk Hydro readily shared conclusions from its internal investigation with Norwegian investigators, Mr. Molland said. Still, authorities in Norway had to wait until Norsk Hydro restored its systems before they could obtain much of the evidence from the company, said Mr. Saetnan, the Norwegian prosecutor.

It became clear the case would likely take years, he added.

Meanwhile, French investigators realized a ransomware case they had been working on was linked to the Norsk Hydro incident, and asked to combine the probes, said Baudoin Thouvenot, a judge who represents France at Eurojust, the European agency that coordinates cross-border judicial work.

Eventually, more national authorities contributed evidence from their jurisdictions.

During certain points, Norwegian authorities were told they had to wait to receive evidence because criminal laws in some of the countries involved required a court decision to share evidence, Mr. Saetnan said. That happens frequently in international cases, he said.

“When it comes to cybercrime, we’re actually blind without the cooperation and information received from [other] countries,” he said.

Limited travel opportunities amid the Covid-19 pandemic also slowed the case. Officials often met over videoconference but would discuss some sensitive information only in person.

The collaboration eventually led to police raids. In the early morning of Oct. 26, police in Ukraine swept into the homes of suspects, apprehending 11. Swiss authorities made one arrest that day.

In The Hague, where Eurojust is based, Mr. Thouvenot, the French judge, was on call from 6 a.m. to about 7 p.m. to help with any legal problems. In other international cases, Mr. Thouvenot said, police have shown up at a suspect’s home to discover the person has left the country. In those cases, officials must quickly seek warrants and assistance in another jurisdiction. Nothing like that happened this time, he said.

Mr. Saetnan, the Norwegian prosecutor, said he spent the day at the Ukrainian police’s cybercrime headquarters in Kyiv, and worked for 13 or 14 hours, waiting to hear about seizures of evidence. Police confiscated more than $52,000 in cash, five luxury vehicles and several electronic devices, according to European police agency Europol. A video posted days after the raids by Ukrainian police showed authorities taking laptops, tablets, cellphones and cash in U.S. dollars and euros.

So far, Mr. Saetnan said his office has received only some evidence obtained from the devices. Prosecutors must make evidence requests under so-called mutual legal assistance treaties with other countries. The process can take months, sometimes longer, because justice or police departments handling such requests are often backlogged.

Mr. De Vliegher, Norsk Hydro’s former CIO, said he is relieved that suspects have been caught. Police and companies should “use this opportunity to understand better how these guys operate, understand their weaknesses and how similar groups could be found,” he said. Mr. De Vliegher, who left Norsk Hydro in August, is a cybersecurity executive adviser at cyber-risk management company Istari Global Ltd., which has offices in Singapore, the U.K. and U.S.

“It’s very important this leads to convictions and it’s a deterrent for other people,” he said. “We have to get to the point where cybercrime is punishable.”


This article was first published on 23 November 2021 by The Wall Street Journal PRO Cybersecurity.