The 3am call: how one senior leader responded to a serious cyber attack

How strong planning and a dedicated workforce helped Norsk Hydro recover from a catastrophic cyber attack - and why "cyber shame" is hindering business' response.

by Samir Jeraj

Halvor Molland was woken up at around 3am. Norsk Hydro, the senior vice-president’s company, was under a “massive” cyberattack launched three hours earlier.

When he arrived at the office and made his way to their meeting room, he saw handwritten signs around the office saying, “We're under a massive cyberattack, do not turn on your computer!” “Then we realised that the entire network in the company was shut down,” he says.

As a member of senior leadership, and the corporate emergency team, Molland’s actions over the next few hours, days and weeks could decide the fate of the 35,000-strong renewable energy and aluminium manufacturing company. “I think most organisations would train for this scenario and hope that they never experienced it,” he says.

Because they had trained for it, Halvor and his colleagues could follow the plans they had developed and take the immediate steps that needed to happen, rather than being overwhelmed by the scale of the emergency. The entire network had been compromised. Not a single employee across the 40 countries they operated in could access the network, turn a computer on, or even print – hence the written signs. Staff had to rely on contacts saved in personal phones or WhatsApp groups to communicate.

“The first few hours and the first day or so it's a bit chaotic, but then you start working and the creativity is coming alive,” Molland says. The damage, however, was catastrophic. Production capacity in its largest business area employing 23,000 people had halved overnight. Molland and his team were having to handle the attack, customers, suppliers and employees.

“We couldn't pay our suppliers. We couldn't print the shipping orders or shipping information to the customers,” he says. The team was methodical, prioritising the health and wellbeing of staff first to ensure they could work safely.

“We had the luxury of having a backup and that was how we recovered,” Molland says. Norsk Hydro enlisted the help of former employees who had worked using paper-based methods to keep its manufacturing side going, fulfilling simpler orders and ensuring the business was continuing.

The IT team split into three groups, one to look at what had happened, a second to focus on recovering the system from backups, and the third to design a new system that could not be compromised in the same way.

“I think any company should have a plan and train for the event of a cyber attack,” Molland says. In Norsk Hydro’s case, it was a single malicious email sent from a customer to an employee that gave them access to the network. However, to him that is less important than ensuring regular training and systems to prevent an attack, and a plan to recover.

It took Norsk Hydro six to eight weeks to get back to “fairly normal” operations, three months for the incident to be declared over, and another six months to fully clean up.

Sign in to continue

Sign in

Trouble signing in?

Reset password: Click here


Call: 020 8267 8121



  • Up to 3 free articles every 90 days
  • Free email bulletins

Register Now

Take a free trial

Get 30 days unrestricted access to:

  • All the latest news, trends, and developments.
  • Exclusive interviews with CEOs and thought-leaders
  • MT Classroom - giving you an academic grounding without expensive courses
  • Management Matters and other in-depth content.
  • Daily bulletins straight to your inbox

Take a free trial today