LONDON – The unprecedented 2017 NotPetya malware attack on global shipping giant Maersk has been well documented, but according to the organization's top cybersecurity executive, several other companies suffered equally if not even more devastating damage but have yet to publicly reveal the incidents.
Speaking Thursday at Black Hat Europe 2019, A.P. Moller Maersk A/S Chief Information Security Officer Andrew Powell said he believes globally approximately 600 companies were damaged by NotPetya around the time of the Maersk attack.
That's because the source of the attacks, Powell said, was traced back to an application called M.E.Doc, a financial application that the Ukrainian government essentially requires any company to use if it is doing business in the country.
According to published reports, NotPetya was the key element in a nation-state-sponsored cyberattack campaign targeting the government of Ukraine. Instead, the malware proved to be far more virulent.
"Any company doing business in Ukraine and filing a tax return [in 2017] was hit," Powell said. "Very big companies in the U.S. got hit hard, two of them harder than us."
Powell declined to name the companies and did not elaborate on how he came to know about these other organizations' NotPetya incidents. All told, estimates indicate the attack and recovery effort have cost Maersk nearly $300 million to date.
Published reports indicate NotPetya wreaked havoc all over the globe in nearly all industries. In the U.S., pharmaceutical giant Merck and shipping giant FedEx both lost more than $300 million from NotPetya as a result of cleanup and lost business.
Powell, a longtime information security executive, previously worked as a vice president for Capgemini, and spent nearly 30 years with the United Kingdom Royal Air Force, including serving as its CIO.
"We weren't alone," Powell said. "Maersk is one of the few companies that has been transparent about what happened. We haven't tried to disguise it or shy away from it."
An argument could be made, however, that Maersk had little choice. The Copenhagen-based shipping company, which transports approximately 20% of all global shipments, found itself virtually paralyzed by NotPetya in a matter of minutes.
Maersk NotPetya attack: What happened
In retrospect, Powell said, Maersk wasn't well prepared to cope with an attack as sophisticated and crippling as NotPetya.
In early 2017 its cybersecurity maturity, like many manufacturing and logistics companies, he noted, was relatively low. Even though digital processes had become critical to Maersk's day-to-day operations, computer networks and server infrastructure weren't considered mission critical; what really mattered, according to the company, was its high-profile physical assets such as ports, ships, and shipping containers. Hence digital assets were minimally protected.
So once a Maersk user in its Odessa office was infected, it spread through the Maersk global network faster than anyone imagined possible.
"Within seven minutes," Powell said, "most of the damage was done."
And that damage was staggering. According to Powell, NotPetya destroyed 49,000 laptops, more than 1,000 applications, all printing and file-sharing systems were knocked offline, its enterprise service bus and VMware vCenter cloud-management servers were ruined, and its DHCP and Active Directory servers were rendered useless.
What proved to be especially devastating, Powell added, was that both its primary and backup Active Directory systems were taken out, a scenario Maersk never thought possible.
"[NotPetya] was designed to destroy online backups specifically, preventing recovery using online backup methods," Powell said. "We had no copies of our Active Directory. We thought we had nothing to restart the network with."
NotPetya Maersk attack: How it recovered
Fortunately, a stroke of good luck came when IT leaders learned that the company's Lagos office had suffered a power outage during the NotPetya attack. Its IT systems – including its copy of the company's Active Directory – were undamaged.
The Lagos AD node was physically removed, flown to Copenhagen, and used to rebuild the rest of the network. However, the AD recovery process alone took more than a week. Clearly, Powell said, it was a scenario Maersk should have planned for.
"Nine days for an Active Directory recovery isn't good enough," Powell said. "You should aspire to 24 hours; if you can't, then you can't repair anything else."
Meanwhile, during that time, Maersk had no way of knowing what was in its millions of shipping containers worldwide, or how to deliver them to their destinations. The result was a massive cascade of supply chain disruptions that rippled around the world. One well-known European retailer, Powell noted as an example, depends on Maersk for nearly all its shipments. In the wake of NotPetya, the retailer risked running out of clothes to sell in its stores.
The company's physical command-and-control recovery processes were far more capable, and Powell said the company initiated those processes to quickly retain control of its kinetic assets, prioritizing management of its temperature-controlled shipments.
From an IT perspective, Powell was surprised the solution that proved to be most helpful during the recovery was WhatsApp. Employees quickly connected with each other on their personal mobile devices, and used WhatsApp groups to share information, discuss problems, develop solutions, and share with others to put them into action.
"The employees created groups around the way they operated," Powell said, adding that it proved to be a silver lining following the incident. "We used WhatsApp to help rebuild our business processes, and ultimately the attack helped us redesign our business."
Powell, who joined Maersk in June 2018 following the attack, said perhaps the most important lesson learned was that organizations must direct more IT resources into system recovery, especially offline backup capabilities. "Trust me, it is the best thing to invest in," Powell said, "because high-level nation-state cyberweapons will take out everything you have online."
Maintaining and ensuring data integrity must also be a focus of cybersecurity programs. Powell also said that attackers increasingly value data over infrastructure, and while any given attack campaign may appear focused on destroying data, the reality is that adversaries increasingly realize there is more value in simultaneously stealing the data and selling it later to the highest bidder.
Powell said specific technologies that Maersk has found to benefit from employing post-attack include endpoint detection and response, privileged access management, and a threat intelligence platform. Beyond any particular product, however, Maersk seeks to make cybersecurity a core tenant of its global day-to-day operations. As part of that effort, every employee in the company is now trained on cybersecurity, including what to do during a cybersecurity crisis.
"In Danish, safety and security is the same word," Powell said. "So it makes sense to put cybersecurity into our safety mindset. And that's really paying off for us."
Powell noted that while Maersk has dramatically improved its cybersecurity posture since the NotPetya attack, it is critical to understand that Maersk or any other organization could be hit with a similarly debilitating cyberattack at any time. Not only are nation-state-level cyberweapons falling into the hands of proxy adversaries, but these adversaries are probably already inside of most organizations, he said. "We have recognized at least three [nation-states] that have used a proxy to get into our network in the past six months, and they're doing that all around the globe."
In part because the risk of a major cyberattack is always present, Powell believes that the other companies around the world that were affected by NotPetya should share their stories.
"I would ask anyone who knows those companies that didn't open up, tell them they should," Powell said. "Those lessons would be great to learn."