Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:00 PM
By Eric Parizo, Senior Analyst, Ovum
By Eric Parizo, Senior Analyst, Ovum

Maersk CISO Says NotPeyta Devastated Several Unnamed US firms

At least two companies may have been dealt even more damage than the shipping giant, which lost nearly its entire global IT infrastructure.

Meanwhile, during that time, Maersk had no way of knowing what was in its millions of shipping containers worldwide, or how to deliver them to their destinations. The result was a massive cascade of supply chain disruptions that rippled around the world. One well-known European retailer, Powell noted as an example, depends on Maersk for nearly all its shipments. In the wake of NotPetya, the retailer risked running out of clothes to sell in its stores.

The company's physical command-and-control recovery processes were far more capable, and Powell said the company initiated those processes to quickly retain control of its kinetic assets, prioritizing management of its temperature-controlled shipments.

From an IT perspective, Powell was surprised the solution that proved to be most helpful during the recovery was WhatsApp. Employees quickly connected with each other on their personal mobile devices, and used WhatsApp groups to share information, discuss problems, develop solutions, and share with others to put them into action.

"The employees created groups around the way they operated," Powell said, adding that it proved to be a silver lining following the incident. "We used WhatsApp to help rebuild our business processes, and ultimately the attack helped us redesign our business."

Lessons learned
Powell, who joined Maersk in June 2018 following the attack, said perhaps the most important lesson learned was that organizations must direct more IT resources into system recovery, especially offline backup capabilities. "Trust me, it is the best thing to invest in," Powell said, "because high-level nation-state cyberweapons will take out everything you have online."

Maintaining and ensuring data integrity must also be a focus of cybersecurity programs. Powell also said that attackers increasingly value data over infrastructure, and while any given attack campaign may appear focused on destroying data, the reality is that adversaries increasingly realize there is more value in simultaneously stealing the data and selling it later to the highest bidder.

Powell said specific technologies that Maersk has found to benefit from employing post-attack include endpoint detection and response, privileged access management, and a threat intelligence platform. Beyond any particular product, however, Maersk seeks to make cybersecurity a core tenant of its global day-to-day operations. As part of that effort, every employee in the company is now trained on cybersecurity, including what to do during a cybersecurity crisis.

"In Danish, safety and security is the same word," Powell said. "So it makes sense to put cybersecurity into our safety mindset. And that's really paying off for us."

Powell noted that while Maersk has dramatically improved its cybersecurity posture since the NotPetya attack, it is critical to understand that Maersk or any other organization could be hit with a similarly debilitating cyberattack at any time. Not only are nation-state-level cyberweapons falling into the hands of proxy adversaries, but these adversaries are probably already inside of most organizations, he said. "We have recognized at least three [nation-states] that have used a proxy to get into our network in the past six months, and they're doing that all around the globe."

Related Content from Black Hat Europe:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Criminals Hide Fraud Behind the Green Lock Icon."

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/2/2020 | 2:24:52 AM
Re: Maersk CISO
We should have a very tight security in terms of our systems.  site
User Rank: Apprentice
12/10/2019 | 10:34:22 PM
Maersk CISO
Of all the news blogs online, I still gravitate here because the articles are so much fun to read (yay, for humor!) and has a more richer audience participation. Yonkers Towing Group
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.