Close this search box.

Throwback Attack: How NotPetya Ransomware Took Down Maersk

Courtesy of Brett Sayles

In 2017, one of the most widespread and devastating cyberattacks was perpetrated against worldwide shipping giant Maersk. It started on a quiet afternoon in June, when staffers began seeing messages advising them that their file systems were being repaired, while others received the message that their important files had been encrypted. A payment of $300 in bitcoin was demanded for the encryption key.

This set off a panic in Maersk headquarters; entry systems and phone networks had been rendered useless by the apparent malware spreading rapidly throughout the company’s network and beyond. By the end of the day, their networks had been so deeply corrupted that the company simply shut down. This was no small feat, however; Maersk is a global shipping titan, responsible for 76 ports around the globe, more than 800 vessels carrying all manner of goods and about one-fifth of global trade. This entire enterprise was brought to its knees by a mystery malware that had spread to every Maersk location across the globe and Maersk wasn’t even the target.

Sandworm, the NotPetya Attack, and Ukraine

Since 2012, Ukraine and Russia had been slugging it out in an undeclared war that served as a proving ground for Russia’s cyberwarfare tactics. A group of Russian hackers called Sandworm had thoroughly compromised the Ukrainian government and dozens of Ukrainian companies. The attackers were firmly entrenched in the networks and systems of the most vital and critical infrastructure in the country. Among the atrocities perpetrated at the behest of the Russian government, Sandworm installed malware in the power grid, which was periodically activated to do the most damage and demoralize the populace. A perfect example of this was shutting down the grid in the middle of the winter. Massive amounts of data were destroyed outright in a series of malicious attacks on Ukrainian businesses, particularly banks.

One way the Russians were able to apply such a broad and sweeping campaign of destruction was through the compromise of the Linkos Group, a small software firm that markets an accounting software package called M.E.Doc. This software was used by nearly everyone who did business in the Ukraine and gave Sandworm a vast attack surface to work with. Sandworm ad hijacked the firm’s update servers early in 2017, and this gave them back-door access to the thousands of computers running M.E.Doc.

That June, Sandworm released a particularly vicious cyberweapon called NotPetya, which spread rapidly and automatically. The code was indiscriminate in whom it attacked; it was designed to do the largest amount of damage as quickly as possible and with the widest swath of destruction. The ransomware spread so quickly and effectively that once the message popped up on a screen, the damage was already extensively complete.

NotPetya was comprised of two major elements: a penetration tool called EternalBlue, created by the National Security Agency (NSA) and leaked in early 2017, and Mimikatz, a software application that had the ability to pull user passwords out of RAM and reuse them to compromise targeted machines. While Microsoft had issued a patch for EternalBlue, Mimikatz allowed for the retrieval of passwords, which, in turn, allowed those passwords to infect unpatched machines anywhere in the world.

The origin of the name — called NotPetya by Kaspersky to differentiate it from the Petya strain — is also an indicator of the intent of its designers. Petya is a ransomware package that was used to extort money from compromised users in exchange for a decryption key. NotPetya was not “legitimate” ransomware; its intent was purely destructive. Any ransom payment was wasted. There was no decryption key for the destroyed data. Sandworm had targeted only Ukraine with NotPetya, but the effects achieved affected the entire world.

First Maersk, then the world

Within hours of NotPetya’s release, the malware had raced around the world and infected countless computers. Victims included FedEx’s European subsidiary, TNT Express; several French companies; a hospital in Pennsylvania; the pharmaceutical company Merck; and, of course, Maersk. The radiation monitoring system at the Chernobyl Nuclear Plant went offline. The infection even spread back to Russia, corrupting state oil company Rosneft. The attack resulted in damages of about $10 billion.

“It was the equivalent of using a nuclear bomb to achieve a small tactical victory,” said Tom Bossert, White House homeland security advisor at the time. It was completely reckless to a degree that should not be tolerated by the community of nations. This was cyberwarfare at its worst, where a nation-state exploits the lack of national borders on the internet and has a callous disregard for human life. What amounted to a political attack on a rival state became an attack on the rest of the world. The strike was aimed at Ukraine, but also hit Maersk, which, in turn, affected the rest of the world.

The back door Sandworm exploited had existed for several weeks in Linkos’ servers prior to activation of the attack. Linkos denied they were the perpetrators of the attack, complaining that they were also victims. In July 2017, Ukraine’s cybercrime unit seized servers from Intellect Services, the company that produces the M.E.Doc software.

Analysis of the servers showed that they had not been updated for at least four years, and security patches were nonexistent. There was evidence of Russian presence in the servers, and several employees’ accounts had been compromised. Intellect Services subsequently closed the back doors into the software, and state prosecutors promised the company would be held to account for the vast damage caused by their lax security procedures.

Maersk is dead in the water

It turns out one single infection was responsible for the Maersk compromise. M.E.Doc had been installed on a company computer in Odessa, a Ukrainian port city on the Black Sea. This was all NotPetya needed to infect the entire system. Across the globe, port facilities shut down, and tens of thousands of truckloads of goods were turned away. Maersk’s entire booking system went down, as well as the complex loading systems used to systematically load container ships to avoid capsizing them. Maersk was dead in the water.

An incident response team was assembled, and an emergency recovery center was put together in Great Britain to mitigate and recover from the NotPetya attack. This was a global effort and required hundreds of staffers working 24/7 to rebuild the network. All computer equipment was confiscated, and new computers were obtained and then distributed to recovery personnel. Staff began rebuilding servers from the ground up. However, this effort came to a grinding halt when it was realized that there was no clean backup of the company’s domain controllers.

A domain controller is a server that responds to requests for user authentication and verification. Domain controllers check usernames and passwords, or other access credentials, to allow or deny user access to network resources. Without a working domain controller, the network is a collection of disparate servers and data that can only be accessed locally. Maersk had about 150 domain controllers throughout its global system that would have ordinarily been able to sync with one another and, thereby, become a backup for a compromised or damaged server. This is an effective and decentralized backup strategy that would have allowed for quick recovery from a localized event; however, no one had visualized a scenario where all the company’s domain controllers were wiped out in a massive attack. If the domain controllers couldn’t be recovered, it was unlikely anything could.

Maersk staffers finally found one pristine backup in their Ghana office. By a stroke of luck, a blackout had knocked the server offline prior to the NotPetya attack, disconnecting it from the network. It contained a single clean copy of the company’s domain controller data, and its discovery was a source of great relief to the recovery team.

Getting the data to the recovery center was a story in itself. The public network infrastructure in Ghana left much to be desired, and the available bandwidth was very low. The backup was several hundred gigabytes of data, and it would take days to transmit it to the recovery center. The next option was to put a staffer on a plane from Ghana to London, but none of the staffers had a British visa. The next scheme was to fly the staffer to Nigeria to meet a Maersk employee and hand over the hard drive personally. That Maersk employee then got back on a plane for the six-and-a-half-hour flight back to Heathrow.

The recovery team began bringing up Maersk’s core services, concentrating on port services. Key to this was the ability to read a ship’s inventory — each ship has 18,000 containers — and determine what was where and where it was bound for. The booking system came back online sometime later, but it would be at least two weeks before port facilities began operating normally again. After that, the recovery team began issuing clean laptops and computers to staff members. Everything the employees had loaded on their machines was gone; the hard drives were wiped and new, clean copies of Windows were installed.

The future of cyberwarfare

When it was all over, Maersk estimated that NotPetya had cost the company between $250 million and $300 million, though many believe this number was on the low side. Costs down the line were also significant; trucking companies lost tens of millions of dollars, TNT Express lost about $400 million and Merck lost a staggering $870 million. The disruption to the global supply chain, of which Maersk is a major component, was extensive, and losses accumulated into the billions.

The Maersk incident was an expensive and significant wake-up call. It pointed to the need for education and diligence in promoting and practicing cyber hygiene and instituting robust cyber defenses. NotPetya was a glimpse into what cyberwarfare could be. Without preparedness on every level, no one is safe from the sort of damage this malware caused.




Keep your finger on the pulse of top industry news