Maersk Reinstalled “Entire Infrastructure” After NotPetya

29 Jan 2018 - Around the Web

The ultimate financial impact of the NotPetya ransomware outbreak on the shipping giants Maersk and TNT and on pharmaceutical giant Merck will go down in the annals of worst-case-cyberattack-scenarios. It’s not totally clear how much the ransomware ended up costing these and other companies, but numerous sources estimate that Maersk alone has paid upwards of $300M to remediate the problems caused by NotPetya.

Maersk chairman Jim Hagemann Snabe shed light on some of what that whopping $300M may have paid for in a panel discussion at the World Economic Forum last week.

“We basically found that we had to reinstall our entire infrastructure,” Snabe said in the panel discussion (embedded below). “We had to install 4,000 new servers, 45,000 new PCs, 2,500 applications, and that was done in a heroic effort over ten days.”

It’s impossible to know for certain how the NotPetya attacks played out on Maersk’s network, but, if the commonly held narrative holds true of Maersk, then attackers compromised the update server for a then obscure, Ukrainian accounting software company called M.E.Doc. The compromised update server then pushed out poisoned versions of the M.E.Doc software to the machines on which it was installed, versions that contained the NotPetya ransomware and a well-known server message block (SMB) exploit called ETERNALBLUE. After getting an initial foothold into Maersk’s networks’ via the poisoned updates (again we are assuming that Maersk’s experience mirrors what we know to have happened with NotPetya elsewhere), the attackers then would have leveraged the ETERNALBLUE exploit to worm around the shipping company’s network, infecting many thousands of machines with ransomware—or wiper malware masquerading as ransomware—in the process.

To be clear: ETERNALBLUE was not an obscure exploit. Its emergence, along with a bevy of related exploits, dominated the cybersecurity news cycle for months and at various times throughout 2017. The exploits are widely believed to have been developed by a vaunted, state-sponsored hacking unit known as “the Equation Group,” before being leaked on the Internet by another suspected, state-backed hacktivist group known as “the Shadow Brokers.” The media took notice of this apparent game of electronic spy vs. spy and had covered these exploits, their leaking, the patches that resolved them, and the real-world attacks leveraging them at length—well before the NotPetya ransomware swept across the globe in late June 2017.

As such, Maersk’s plight was a failing that arose almost entirely from hygiene choices. The company, assuming NotPetya infected its networks in the same way it infected everyone else’s, apparently hadn’t installed the March 2017 Microsoft security update that resolved these security vulnerabilities. Had they installed that patch, the NotPetya infection would have very likely been limited to just the one or small handful of workstations that were running M.E.Doc, a software package that apparently very popular among organizations that conduct business in Ukraine.

Instead, the company, it seems, had to replace nearly its entire IT infrastructure at truly astonishing cost over a period of days.

“Imagine a company where a ship with 10,000 to 20,000 containers enters a port every 15 minutes, and, for ten days, you have no IT,” Snabe would say later in the panel discussion. “It’s almost impossible to imagine.”

The featured image for this article is the work of  Wikimedia user Bahnfrend and is licensed under Creative Commons.


Transform Your Siloed Security Operations into a Holistic Security Operations Program

Get in Touch Group