Enterprise cybersecurity technology

research that connects the dots | Learn more


Maersk CISO Says NotPeyta Devastated Several Unnamed US firms

At least two companies may have been dealt even more damage than the shipping giant, which lost nearly its entire global IT infrastructure.

Meanwhile, during that time, Maersk had no way of knowing what was in its millions of shipping containers worldwide, or how to deliver them to their destinations. The result was a massive cascade of supply chain disruptions that rippled around the world. One well-known European retailer, Powell noted as an example, depends on Maersk for nearly all its shipments. In the wake of NotPetya, the retailer risked running out of clothes to sell in its stores.

The company's physical command-and-control recovery processes were far more capable, and Powell said the company initiated those processes to quickly retain control of its kinetic assets, prioritizing management of its temperature-controlled shipments.

From an IT perspective, Powell was surprised the solution that proved to be most helpful during the recovery was WhatsApp. Employees quickly connected with each other on their personal mobile devices, and used WhatsApp groups to share information, discuss problems, develop solutions, and share with others to put them into action.

"The employees created groups around the way they operated," Powell said, adding that it proved to be a silver lining following the incident. "We used WhatsApp to help rebuild our business processes, and ultimately the attack helped us redesign our business."

Lessons learned
Powell, who joined Maersk in June 2018 following the attack, said perhaps the most important lesson learned was that organizations must direct more IT resources into system recovery, especially offline backup capabilities. "Trust me, it is the best thing to invest in," Powell said, "because high-level nation-state cyberweapons will take out everything you have online."

Maintaining and ensuring data integrity must also be a focus of cybersecurity programs. Powell also said that attackers increasingly value data over infrastructure, and while any given attack campaign may appear focused on destroying data, the reality is that adversaries increasingly realize there is more value in simultaneously stealing the data and selling it later to the highest bidder.

Powell said specific technologies that Maersk has found to benefit from employing post-attack include endpoint detection and response, privileged access management, and a threat intelligence platform. Beyond any particular product, however, Maersk seeks to make cybersecurity a core tenant of its global day-to-day operations. As part of that effort, every employee in the company is now trained on cybersecurity, including what to do during a cybersecurity crisis.

"In Danish, safety and security is the same word," Powell said. "So it makes sense to put cybersecurity into our safety mindset. And that's really paying off for us."

Powell noted that while Maersk has dramatically improved its cybersecurity posture since the NotPetya attack, it is critical to understand that Maersk or any other organization could be hit with a similarly debilitating cyberattack at any time. Not only are nation-state-level cyberweapons falling into the hands of proxy adversaries, but these adversaries are probably already inside of most organizations, he said. "We have recognized at least three [nation-states] that have used a proxy to get into our network in the past six months, and they're doing that all around the globe."

Related Content from Black Hat Europe:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Criminals Hide Fraud Behind the Green Lock Icon."