Serendipity intervened to rescue world’s largest shipping conglomerate in 2017

Maersk was hit by a NotPetya ransomware attack in 2017

A power cut in Nigeria’s capital city salvaged Maersk’s network infrastructure during the NotPetya attack of 2017, the shipping conglomerate’s head of security has admitted.

Recounting the remarkable stroke of luck at the Black Hat Europe conference in London last week, Maersk CISO Andy Powell said the malware wiped out almost all online backups of the company’s Active Directory – save, mercifully, for a piece held in its powered-down Lagos office.

Maersk, which has 574 offices across 130 countries, promptly booked the Active Directory server a first-class seat (alongside that of its temporary human custodian) on the next flight out of Lagos.

Active Directory, a Microsoft service that manages network access permissions within Windows environments, is “king”, Powell told the Black Hat audience. Offline backups are critical even in very large networks, he said.

‘Not good enough’

A.P. Møller-Maersk, to give the Danish company its full name, fell prey to NotPetya on June 27, 2017, in an attack where Kremlin-backed hackers remain the prime suspects.

Attackers spread the malware after seizing control of the software update mechanism of M.E.Doc, the de facto standard accountancy package for firms doing business in Ukraine, as part of a carefully planned operation.

The impact was as immediate as the recovery was slow: Maersk’s network was crippled within seven minutes, most of the damage was done within an hour and it took nine days to restore its Active Directory system. “Not good enough,” said Powell – 24 hours should be the target turnaround.

However, the company did excel in one key aspect: They told everyone “what was happening straightaway”, said Powell. Far from being angry, many customers’ first response was: “How can we help?”

He added that “a number of big international companies hit with NotPetya were less open, honest, and transparent.”


Read more of the latest ransomware news from The Daily Swig


Honesty and transparency is just as vital internally, something Powell dubbed his “bring out your dead” policy.

The sympathetic response from customers and partners attests to the fact that breaches aren’t always attributable to incompetence or negligence.

“We looked long and hard at whether we could have stopped it and the answer is ‘no’” – but they could have contained it better, said Powell.

As a shipping giant involved in 20% of the world’s trade, Maersk is an obvious target for sophisticated, state-sponsored exploits, and its resilience has implications for the global economy.

“Nation state weapons are even more widespread,” said Powell. “What's worrying is those nation state weapons, which are high end, are moving into the hands of proxies: criminal gangs acting on their behalf.”

Maersk had detected at least three advanced persistent threat (APT) groups probing their networks through its supply chain (for example, partners or suppliers) in the last year alone.

Daunting task

Maersk’s clean-up was a daunting task.

NotPetya, the most destructive exploit engineered for Russia’s cyberwar against Ukraine to date, trashed nearly 50,000 company laptops and disabled its entire network of VoIP phones.

The company quickly built 2,000 laptops, many procured from high street retailers, while WhatsApp groups became a vital communications lifeline.

Without access to data held on its destroyed computer system, Maersk literally didn’t know what was in its containers. On-the-ground-staff had to check manually, with time sensitive medicines a particular supply chain concern.

Lessons learned

Containment of the ransomware across such a broad network was fiendishly challenging, as was finessing privileged access, for which Powell suggested “draconian methods” might be necessary.

Evoking a multiple-warhead missile, he cautioned against assuming any incoming exploit was unaccompanied. NotPetya itself was bundled with four different software exploits.

Worry about your back door, not just your front door, Powell warned – though it felt like NotPetya had erected 12 new front doors and handed the attackers the keys.

The CISO also extolled the virtues of secure-by-design principles, identifying your business-critical applications, and rehearsing incident response playbooks.

He said he focuses on standards, not policy – the latter of which is now a banned word in the organization.

Computer forensics are undertaken even for seemingly minor incidents.

Maersk has now enshrined these painful lessons in five principles, relating to organizational resilience, boardroom accountability, and security being a benefit, growth driver, and everyone’s responsibility.


YOU MIGHT ALSO LIKE Ransomware slingers ramp up up attacks on back-up devices