Hack in practice: The NotPetya attack on Maersk

Hack in practice: The NotPetya attack on Maersk

By Terrence Risse
March 3, 2023

In this series, I will periodically focus on a hack in practice. Each time, I will investigate an event, highlight it, and most importantly, discuss what we can learn from it. This is not only informative for the general public, but also offers me the opportunity to learn more about the security field. After all, the best defense is a good offense!

In this first article, I want to kick off with the 'NotPetya attack' from 2017, which may be familiar to many.

The Wired article reads like a movie. What started as a normal day at Maersk's headquarters in Copenhagen quickly turned into a nightmare when the company's systems were held hostage by a ransomware attack.

The attack quickly spread through Maersk's systems, causing the company's operational activities to come to a standstill. Ships could no longer be loaded or unloaded, terminals were out of order, trucks were idle, and communication systems were shut down. It took weeks for Maersk's systems to become fully operational again.

The costs of the attack were enormous. Maersk estimated the damage at almost $300 million. In addition to the direct costs of restoring the systems and the loss of income during the attack, the attack also damaged customers' and investors' trust in the company.

What is NotPetya?

As the name suggests, NotPetya refers to Petya, which was discovered in 2017 and has a lot in common with the well-known ransomware 'Wannacry'. The big difference, however, is that the group behind NotPetya was not out to make money, but to cause as much damage as possible. Therefore, NotPetya looks more like a wiper than ransomware, as the data was already wiped beforehand.

How did they get in?

The NotPetya virus likely entered Maersk's systems through a so-called 'Supply Chain Attack', by means of a software update from a Ukrainian tax accounting program called M.E.Doc, which was widely used by companies in Ukraine. The attackers compromised M.E.Doc's software update mechanism and injected the NotPetya virus into the legitimate update, which was then spread to all users of the program. Since Maersk's Ukrainian branch also used M.E.Doc, the virus could infiltrate their systems when they installed the update. Once inside, the virus quickly spread through Maersk's global network, encrypting files and rendering the company's systems unusable.

How did it spread?

The NotPetya virus spread quickly over Maersk's network for several reasons:

  • First, the virus was designed to spread through security vulnerabilities in Windows, allowing it to replicate and spread itself without human intervention. This was mainly done using server message block (SMB) vulnerabilities such as MS17-010, CVE-2017-0144, and CVE-2017-0145.

  • Second, the virus used stolen login credentials from infected machines to gain access to other computers on the network.

  • Third, Maersk's systems were poorly secured, making it easier for the virus to gain access to other parts of the network.

How was it resolved?

In the first days after the attack, Maersk switched to manual processes to continue serving its customers. This meant that office staff resorted to pen and paper to process all transactions and customer requests. This was a huge challenge and required a lot of patience and dedication from the staff.

Maersk then brought the affected IT systems back online through backups and rebuilding the systems. This was a lengthy and complicated process, with every application and database needing to be checked and restored.

Maersk has also invested heavily in strengthening its cybersecurity. They have redesigned their IT infrastructure and improved their security measures to prevent a similar attack from happening in the future.

It took months for Maersk to fully recover from the NotPetya attack, but the company has learned from the experience and has taken steps to strengthen its cybersecurity since then.

What can we learn from it?

Below are some of the key lessons that can be drawn from the attack. However, it is important to note that these are not all the lessons that can be learned from this situation. For me personally, these are the most important lessons.

  • Patch management: Maersk has admitted that its patch management was not in order, leaving them vulnerable to the NotPetya attack. Although the company had regularly installed software updates and patches in the past, it had not installed the patch for the specific vulnerability that NotPetya used. This made their systems vulnerable to attacks.

  • Backups: Maersk had made backups of its systems, but they were not up-to-date and were not kept in an isolated location. This made the recovery process after the attack more difficult and time-consuming than it should have been.

  • Network segmentation: Maersk had not properly segmented its network, allowing the attacker to move from one system to another and cause damage to multiple systems and departments.

  • Software integrity: Although it is not 100 percent certain, it is possible that it was delivered through a forged software update. This highlights the importance of verifying the authenticity of software and ensuring that it is downloaded from a trusted source.

Although it is easy to blame Maersk for not being able to stop the attack, it is important to recognize that cybercrime is an increasingly growing problem that affects businesses of all sizes. It is impossible to fully protect yourself from such attacks, but there are always steps you can take to better protect yourself.

We can all learn from Maersk's situation and become aware of the serious threat that cybercrime poses to businesses and individuals. Instead of blaming, we need to work together to find better ways to protect ourselves and improve our ability to respond to future attacks. With a coordinated and joint effort, we can all contribute to creating a safer digital environment.

Ready to start scanning?