$10 billion lost, a global supply chain crippled, and a miracle mistake: A NotPetya primer — cyberattack of the century

NotPetya Maersk

If it hadn’t been for Somali pirates, Navy Seals or the Tom Hanks movie Captain Phillips, chances are you probably wouldn’t have heard of A.P. Moller–Maersk Group, or ‘Maersk’ for short. It’s one of those companies content to work in the background, unnoticed and unknown, while at the same time fueling the entire world economy. It’s one of the largest intermodal logistics companies in the world, owning a gargantuan container shipping fleet, controlling dozens of international ports, owning countless containers, and having their hands in ground transport of those containers landside, too. If the worldwide supply chain was a bank, Maersk would be the one entity too big to fail — the entire system depends on it. And on one nightmare day in the spring of 2017, Russian hackers unleashed the most devastating cyberattack in the history of the Internet —NotPetya — and brought the entire global supply chain to a grinding halt while costing companies $10 billion in losses, all while war-games-testing its newest cyberweapon on digitally besieged Ukraine.

And it all started with one computer that didn’t even belong to Maersk, and Maersk’s ass was saved by a miracle mistake on another lone computer in Ghana. Buckle up.

Testing ground for cyberwar of the future — Ground Zero for NotPetya

In a brilliant and riveting except from his forthcoming book Sandworm, Andy Greenberg lays out the scene in Wired:

“For the past four and a half years, Ukraine has been locked in a grinding, undeclared war with Russia that has killed more than 10,000 Ukrainians and displaced millions more. The conflict has also seen Ukraine become a scorched-earth testing ground for Russian cyberwar tactics. 

In Ukraine, most individuals or businesses who file taxes use the Ukranian equivalent of TurboTax, called M.E.Doc (no relation to the actual Intuit product, just using that as a frame of reference). A small, family-run business called Linkos Group handles the bug fixes, security patches, and new feature pushes for M.E.Doc, and Linkos eventually became ground zero for NotPetya, the most vicious malware ever unleashed.

“Unbeknownst to anyone at Linkos Group, Russian military hackers hijacked the company’s update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have M.E.Doc installed. Then, in June 2017, the saboteurs used that back door to release a piece of malware called ­NotPetya, their most vicious cyberweapon yet.

Wired’s writers have long contended that Russia has been honing its cyberwarfare chops on proximate ‘combatants’ like Estonia and Ukraine, building toward a ruthless and ruthlessly efficient warfare of tomorrow. The DNC hack was child’s play compared to NotPetya.

I strongly recommend you read the entire Wired piece, if for no other reason than it’s fascinating and riveting storytelling. But the takeaways for business owners are stark and proscriptive.

What it was, how it happened and why it matters

Maersk wasn’t the actual target of the attack — the malware simply attacked indiscriminately and mercilessly.

“To date, it was simply the fastest-propagating piece of malware we’ve ever seen,” says Craig Williams, director of outreach at Cisco’s Talos division, one of the first security companies to reverse engineer and analyze Not­Petya. “By the second you saw it, your data center was already gone.”

And in a twisted turn of fate, the malware wasn’t even designed to extract a ransom — its only intent was anarchy:

“NotPetya took its name from its resemblance to the ransomware Petya, a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. But NotPetya’s ransom messages were only a ruse: The malware’s goal was purely destructive. It irreversibly encrypted computers’ master boot records, the deep-seated part of a machine that tells it where to find its own operating system. Any ransom payment that victims tried to make was futile. No key even existed to reorder the scrambled noise of their computer’s contents.

But even though Maersk wasn’t the target, it saw 9-figure damages and a complete decimation of their digital supply chain oversight, all because one finance executive in Odessa, Ukraine — you read that correctly, one lonesome computer — wanted M.E.Doc installed on his local machine. And it brought the entire shipping goliath’s IT system down.

But like any multinational corporation, Maersk had a backup plan in place (in theory). Except there was just one problem — their backup plan didn’t account for a scenario as dire as NotPetya:

They had located backups of almost all of Maersk’s individual servers, dating from between three and seven days prior to NotPetya’s onset. But no one could find a backup for one crucial layer of the company’s network: its domain controllers, the servers that function as a detailed map of Maersk’s network and set the basic rules that determine which users are allowed access to which systems.

Maersk’s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously. “If we can’t recover our domain controllers,” a Maersk IT staffer remembers thinking, “we can’t recover anything.”

Spoiler alert — if you plan on reading the entire story, stop here and do so before I ruin the punchline.

Alright, if you’re still with me, the craziest part of this story is that the only domain controller not wiped by NotPetya? Maersk IT found it in Ghana, in one machine in a minor outpost of the company. It only survived because a power outage shut the machine down, and it had remained off until after the malware swept through Maersk’s systems like wildfire. A miracle mistake saved literally Maersk’s entire network.

Other companies weren’t so lucky — pharmaceutical giant Merck lost almost a smooth billion in the breach. And it all underlies how indispensable enterprise-grade cybersecurity really is. You don’t even have to make an egregious error to fall victim to complete digital immolation — just being tangentially connected to the wrong 3rd party servicing company could open you up to risks this disastrous. That’s why secure backups, stored separately and safeguarded religiously are the lifeblood of the modern security strategy.

That’s where we come in.

While all this makes for great reading, it doesn’t mean much to a small business if you can’t protect yourself from this sort of attack. We take the stress and uncertainty off your plate so you can focus on running your business, while we focus on keeping that business digitally safe.