The attack was successful due to several key vulnerabilities:
Outdated IT Systems: Maersk was running Windows 2000 and Windows XP, which had known security flaws and were no longer supported with updates.
Unpatched Software: Even though Microsoft had released a security patch to fix the vulnerability (EternalBlue exploit), Maersk had not applied it across all its systems.
Global Network Connectivity: The malware spread rapidly through Maersk’s interconnected global network, affecting all 150 domain controllers, making recovery difficult.
Phishing and Software Supply Chain Attack: The attackers infiltrated MeDoc’s software update mechanism, exploiting the trust relationship between businesses and their software providers.
The NotPetya cyberattack on Maersk was successful due to a combination of aspects and factors:
Vulnerabilities in Maersk’s IT Infrastructure: Outdated software, inadequate backup strategies, and underestimation of cybersecurity risks.
Complexity of NotPetya Malware: Exploiting Ukrainian financial software and NSA vulnerabilities for attacks, and designed to permanently destroy data.
Timing and Coordination of the Attack: Launching on Ukrainian Independence Day and quickly spreading across Maersk’s global network.
Lack of Preparedness for a Cyberattack: No effective incident response plan, leading to slow recovery and high costs.
Due to some critical vulnerabilities, the attack was successful:
Poor IT hygiene: Despite internal warnings, delayed upgrades and backups expose the system. Domain controllers lack independent backups, and IT personnel prioritize normal operating time over updates.
Supply chain vulnerability: Malicious software spreads through trusted third-party software updates (MeDoc), bypassing traditional defenses.
Network interconnectivity: Once entered, malicious software will rapidly spread within Maersk’s global integrated network, while disabling all 150 domain controllers.
Outdated systems: Maersk uses unsupported Windows 2000 and XP systems, which lack security patches for vulnerabilities such as EternalBlue.
First, Maersk’s information systems had obvious security gaps. Some of the company’s computers still use outdated Windows operating systems, which are no longer officially supported and have a number of known security holes. It was these vulnerabilities that the attackers exploited to successfully breach Maersk’s network.
Secondly, Maersk’s awareness and investment in cybersecurity is insufficient. Although company system administrators had warned of security risks in the network, for various reasons, these warnings were not heeded enough. The company failed to upgrade and patch in a timely manner, leaving the system exposed for a long time.
Finally, supply chain security vulnerabilities are also important reasons for the success of this attack. By infecting the Ukrainian financial software MeDoc, the attackers exploited supply chain relationships to spread the malware, eventually affecting several multinational companies, including Maersk. This shows that in a highly connected global economy, a security breach at any one link can have a serious impact on the entire supply chain.
The attack was successful because Maersk had poor cybersecurity hygiene, including unpatched systems, weak network segmentation, and outdated infrastructure. The NotPetya malware exploited Microsoft Windows vulnerabilities (EternalBlue and EternalRomance), which Maersk had not fully patched, allowing it to spread rapidly across the company’s interconnected global network. Additionally, all 150 of Maersk’s domain controllers were wiped out simultaneously, making recovery nearly impossible. The lack of proper segmentation between critical and non-critical systems further enabled the malware to propagate unchecked, leading to a complete shutdown of Maersk’s operations.
1.System vulnerability : The attacker took advantage of the outdated Windows 2000 server software and Windows XP operating system used by Maersk, which has not received a security patch because Microsoft had stopped supporting it. This allows an attacker to break into the system through these known vulnerabilities.
2.Defects of the backup strategy : Although Maersk has a good habit of backing up data regularly, key domain controller data is missing in the backup. The domain controller is the “central nervous system” of the network, responsible for user authentication and resource access. Because all domain controllers are attacked by the same malware at the same time, the entire network structure is permanently lost.
3.Lack of emergency preparedness : Although the senior system administrator warned of the vulnerability of the network, the company leadership-approved upgrade was never implemented because the system administrator bonus was linked to the uptime of the current infrastructure rather than the installation upgrade. This suggests a lack of adequate preparedness and contingency plans to address cyber attacks.
4. Supply chain attack: The attacker uses the update mechanism of the third-party editing tool, which is a supply chain attack. The attackers attack other organizations through this channel, while they themselves become targets. The success of this attack approach demonstrates the importance of supply chain security.
5.Concealed and destruction of attacks: An attacker uses advanced attack tools such as Eternal Blue and Eternal Romance, which can remotely access the infected system and increase permissions, allowing the attacker to control and modify the system without being detected. In addition, NotPetya attacks masquerade as ransomware, but the real purpose is to permanently destroy and disable infected systems and networks.
To sum up, the success of the attack is the result of the Maersk company’s system vulnerabilities, backup strategy defects, lack of emergency preparedness, and the concealment and destruction of supply chain attacks.
Compromised Software Update: The attackers exploited a compromised software update mechanism to distribute the malware. This allowed the malware to spread rapidly and infect a large number of systems without requiring user interaction.
Lack of Patches: The vulnerability exploited by the attackers had been known for some time, but many organizations, including Maersk, had not applied the necessary patches. This lack of timely patching left systems vulnerable to attack.
Centralized Architecture: Maersk’s IT infrastructure relied heavily on a centralized domain controller architecture. When the domain controllers were compromised, it affected the entire network, leading to a widespread shutdown of operations.
1. Outdated Systems: Maersk used old operating systems like Windows 2000 and Windows XP, which were no longer supported by Microsoft and lacked critical security patches.
2. Lack of System Upgrades: Despite warnings from senior system administrators, necessary upgrades were not implemented due to concerns about system downtime.
3. Inadequate Backup Strategy: While data backups were in place, the domain controllers were not adequately protected, resulting in the complete loss of the network structure.
4. Global Network Vulnerability: The interconnected nature of Maersk’s global network allowed the malware to spread rapidly, infecting all 150 domain controllers simultaneously.
The NotPetya ransomware attack on Maersk was successful due to the following key vulnerabilities:
Outdated IT Systems:Maersk was using Windows 2000 and Windows XP, which had well – known security flaws and were no longer receiving updates. This made its systems highly vulnerable to attacks.
Unpatched Software:Despite Microsoft releasing a security patch to address the vulnerability (EternalBlue exploit), Maersk failed to apply it across all its systems. As a result, the unpatched systems were easy targets for the malware.
Global Network Connectivity:The malware spread quickly through Maersk’s interconnected global network. It affected all 150 domain controllers, making the recovery process extremely difficult. The extensive global network connectivity, which was supposed to facilitate business operations, instead became a conduit for the rapid spread of the malware.
Phishing and Software Supply Chain Attack:The attackers managed to infiltrate MeDoc’s software update mechanism. By exploiting the trust relationship between businesses and their software providers, they were able to introduce the malware into Maersk’s systems through the software update process, which is a form of phishing and software supply chain attack.
Multiple factors led to Maersk’s vulnerability during the NotPetya incident. Maersk’s IT setup had major flaws, with some computers using obsolete Windows systems that were unpatched and had numerous security holes, exploited by attackers. The firm also showed low cybersecurity awareness and investment. Even though system admins flagged risks, Maersk failed to upgrade and patch promptly, leaving its systems at risk. Further, supply chain security lapses were a key factor. Attackers infected the Ukrainian MeDoc financial software and used supply chain ties to spread malware, affecting Maersk and others. This reveals that in today’s linked – up global business world, one weak security link can trigger extensive problems across the whole supply chain network.
1. Outdated software: Maersk had ancient Windows 2000 server software and many PC terminals still ran on Windows XP, for which Microsoft had long discontinued support. As a result, these systems did not receive security patches, leaving them vulnerable to attacks.
2. Lack of system upgrades: Although the senior leadership team had approved system upgrades, the systems administrators, whose bonuses depended on current infrastructure uptime, did not implement them. This negligence left the company’s network exposed.
3. Failure to account for a comprehensive backup: Maersk made regular data backups, but it did not consider the possibility of all 150 domain controllers being hit simultaneously. The domain controllers, which were the central nervous system of the network, were crucial for identity management and resource access. When all of them were wiped out by the malware, the company’s entire network structure was lost.
4. Communication disruptions: The cyberattack disabled Maersk’s email, messaging, and phone systems. This made it difficult for the emergency – response centre to communicate with key IT staff at different domain controller sites, hampering the recovery efforts.
The attack was successful due to several key factors:
1. Unpatched Vulnerabilities: The outdated Windows systems used by Maersk were not updated with the latest security patches, making them vulnerable to known exploits.
2. Simultaneous Domain Controller Attack: The malware targeted all 150 domain controllers simultaneously, which are essential for network management. This wiped out the entire network structure in one go.
3. Lack of Proactive Security Measures: Maersk’s systems were not regularly updated or maintained, and there was no proactive approach to cybersecurity, leaving the company ill-prepared to handle such a sophisticated attack.
The success of the NotPetya cyber attack on Maersk was the result of a combination of inadequate internal cyber security measures, the exploitation of external threats, and cyber warfare triggered by the situation in Ukraine. While Maersk followed best practices when it came to data backup, it was missing a backup of key domain controllers, which are responsible for mapping the company’s network and authorizing user access. In the attack, all 150 domain controllers were simultaneously hit by the malware, resulting in the loss of the entire network structure. NotPetya is a highly sophisticated ransomware that exploits NSA vulnerabilities (such as EternalBlue and EternalRomance) that were originally used for Internet surveillance. The compromised vulnerability allows the attacker to remotely access the infected system and install additional software on the system, stealing data and passwords. After the 2014 Ukraine crisis, Russia began launching cyber attacks on Ukraine’s economy and infrastructure in support of Pro-Russian forces. Maersk, a company that does business in the region, was attacked using MeDoc software, which in turn infected its global network.
The attack on Maersk was successful mainly due to:
1、Outdated Systems: Maersk used old Windows operating systems that were no longer supported and lacked security updates.
2、Software Exploits: Attackers used known vulnerabilities in Windows systems to gain access and spread malware.
3、Phishing Attacks: Employees fell for phishing emails, which allowed malware to enter the network.
4、Network Vulnerabilities: The company’s network architecture had a single point of failure, and all domain controllers were hit simultaneously.
5、Lack of Updates: Necessary system upgrades and security patches had not been implemented despite warnings.
6、Inadequate Backup Strategy: The backup plan did not account for the simultaneous compromise of all domain controllers.
These factors allowed the attackers to successfully infiltrate and disrupt Maersk’s operations.
1. Outdated IT infrastructure: Maersk uses Windows 2000 and Windows XP, which no longer receive security updates from Microsoft.
2. Interconnected Global Network: Maersk’s global operations rely on a highly interconnected network. Once ransomware infiltrates one part of a network, it can quickly spread to the entire system.
3. Third-party software vulnerability: Maersk trusted the software and its updates, which allowed the malware to infiltrate its systems.
5. Delayed response: The attack crippled Maersk’s email, messaging and phone systems, making it difficult to coordinate an immediate response.
1) Technical vulnerabilities
Unrepaired Known Vulnerabilities (CVE)
Root cause of the problem: The patch management process is lagging behind, and the vulnerability scanning tool has not covered all assets.
2) Human factors and internal threats
Social Engineering Attack
Root cause of the problem: Employees lack safety awareness training and have not activated Multi Factor Authentication (MFA).
3) Organizational processes and governance deficiencies
Security response lag
Root cause of the problem: The incident response plan (IRP) is not regularly practiced, resulting in a lengthy decision-making chain.
The NotPetya ransomware attack on Maersk was successful due to multiple critical vulnerabilities within the company’s IT infrastructure.
Firstly, Maersk had poor IT hygiene. Despite internal warnings, there were significant delays in system upgrades and backups. Domain controllers lacked independent backups, and IT personnel placed more emphasis on maintaining normal operating time rather than carrying out necessary updates. This left the systems exposed and vulnerable.
Secondly, the supply chain proved to be a weak link. Malicious software infiltrated through updates of trusted third – party software, specifically MeDoc, bypassing traditional security defenses.
Thirdly, Maersk’s extensive network interconnectivity became a liability. Once the malware entered the system, it spread rapidly throughout Maersk’s global integrated network, disabling all 150 domain controllers at once.
Finally, the use of outdated systems, such as unsupported Windows 2000 and XP which lacked security patches for vulnerabilities like EternalBlue, compounded the problem. Weak network segmentation between critical and non – critical systems also allowed the malware to propagate freely. As a result, Maersk’s operations came to a complete halt, and recovery was made extremely difficult.
he attack on the Maersk Hangzhou in 2024 was successful because the Houthi armed group in Yemen, which supports Hamas, intended to influence the situation in the Red Sea region and express its political stance by attacking commercial ships. The group used coastal missile batteries, loitering munitions, and fast – attack craft to launch attacks. Despite the protection provided by Operation Prosperity Guardian, the Maersk Hangzhou was still hit by a missile and faced an attempted boarding.
The NotPetya ransomware attack on Maersk was successful due to a combination of factors, including vulnerabilities in software, inadequate cybersecurity measures, and the interconnected nature of global business networks.It was a combination of outdated software, inadequate cybersecurity measures, and the interconnected nature of Maersk’s global network. The attack underscores the importance of regular software updates, robust patch management, network segmentation, and comprehensive backup and recovery strategies. It also highlights the need for continuous employee training to recognize and avoid phishing attempts. Maersk’s experience serves as a cautionary tale for other organizations to prioritize cybersecurity and be prepared for such incidents.
The NotPetya attack was successful because it exploited vulnerabilities in the MeDoc software supply chain, and Maersk’s network had a large number of old, unupdated software (such as Windows 2000 and Windows XP) that were vulnerable to infection due to a lack of security patches. At the same time, Maersk’s network lacked effective segmentation isolation measures, which allowed the malware to quickly spread across the global network, eventually resulting in a complete system crash.
Maersk’s cargo ships were not directly attacked, but its IT systems were severely impacted by the NotPetya ransomware. The malware initially spread through the Ukrainian financial software MeDoc, which was compromised via its update mechanism. When Maersk employees used infected computers, the malware infiltrated the company’s internal network.
Once inside, NotPetya exploited unpatched Windows vulnerabilities (EternalBlue and EternalRomance) to gain administrative access and spread rapidly. Due to weak network segmentation and outdated security controls, all 150 of Maersk’s domain controllers were wiped out, causing a complete shutdown of its global IT infrastructure. This led to major disruptions in cargo ship operations, port activities, and global trade, highlighting the risks of cyber threats in an increasingly digitalized industry.
The attack succeeded because of several critical vulnerabilities:
1. Inadequate IT Hygiene
Despite internal alerts, Maersk faced issues due to postponed upgrades and backups. The system was left exposed as domain controllers didn’t have independent backups. IT staff placed more importance on maintaining normal operating hours rather than carrying out necessary updates. This negligence created loopholes that attackers could exploit.
2. Supply Chain Weakness
The malware managed to spread via trusted third – party software updates from MeDoc. Since these updates came from a seemingly reliable source, they bypassed traditional security defenses. This vulnerability within the supply chain highlights how a single compromised link can have far – reaching consequences for an entire organization like Maersk.
3. High – level Network Interconnectivity
Once the malicious software entered Maersk’s network, it took full advantage of the company’s global integrated network. It spread at a rapid pace and was able to disable all 150 domain controllers. The high degree of interconnectivity, which is usually an asset for business operations, became a liability in the face of a cyber – attack.
4. Use of Outdated Systems
Maersk was still using Windows 2000 and XP systems, which were no longer supported. These systems lacked the security patches needed to protect against vulnerabilities like EternalBlue. By relying on such outdated technology, Maersk left itself open to exploitation by attackers who were aware of these unpatched weaknesses.
The NotPetya ransomware attack on Maersk succeeded because of several key vulnerabilities in its IT infrastructure, including poor IT hygiene with significant delays in system upgrades and backups, domain controllers lacking independent backups, and IT staff prioritizing normal operating time over updates; a weak supply chain where malware infiltrated via updates of the trusted third-party software MeDoc bypassing security defenses; the company’s extensive network interconnectivity that enabled rapid malware spread throughout its global integrated network and disabled all 150 domain controllers at once; and the use of outdated systems like unsupported Windows 2000 and XP without security patches for vulnerabilities such as EternalBlue, along with weak network segmentation between critical and non-critical systems, leading to a complete halt of Maersk’s operations and making recovery extremely challenging.
The attack exploited multiple vulnerabilities:
A. Outdated Systems: Maersk used unsupported Windows 2000/XP systems, leaving them unpatched against known exploits like EternalBlue.
B. Supply Chain Compromise: NotPetya was disguised as a legitimate MeDoc update, leveraging trust in software vendors to bypass defenses.
C. Weak Backup Strategy: While Maersk backed up data, its domain controllers (central network directories) were not isolated, allowing the malware to wipe out all 150 nodes simultaneously.
D. Slow Response: Delayed recognition of the attack and communication failures (email/phone outages) hindered containment, exacerbating damage.
Maersk’s cyber attack was not accidental, it involved a number of factors, these factors are intertwined, together leading to the success of the attack.
The attackers exploited outdated software and operating systems used by Maersk, such as the Windows 2000 server software and the Windows XP operating system. Because Microsoft has discontinued support for these systems, they cannot get the latest security patches. This is like a house without a doorman and with broken Windows and doors, an attacker can easily break into the system through these known vulnerabilities. With the rapid development of information technology, old systems often become a hotbed of security risks, and hackers can easily find ways to invade with the help of public vulnerability information.
The attackers used advanced attack tools such as EternalBlue and EternalRomance, which enable remote access to infected systems and elevate permissions, allowing the attackers to control and modify the system without being detected. In addition, the NotPetya attack, while disguised as ransomware, was intended to permanently damage and disable infected systems and networks. This invisibility and destructiveness greatly increases the difficulty of defense. Attackers are like assassins lurking in the shadows, quietly disrupting the core functions of the system, and enterprises often do not realize that the attack has occurred until they have suffered serious damage.
From another perspective, infected software update mechanisms facilitate the spread of malware, allowing it to spread quickly and infect a large number of systems without user intervention. At the same time, many organizations, including Maersk, failed to patch known vulnerabilities in a timely manner, leaving their systems vulnerable for a long time. In addition, Maersk’s highly dependent centralized domain controller architecture brought the entire network to a standstill after the domain controller was compromised, further amplifying the reach and damage of the attack. These factors combined, together contributed to the success of the attack, but also sounded the alarm for other enterprises in the information security protection need to comprehensively examine their own system architecture, security strategy and emergency response mechanism and other levels, in order to effectively resist the increasingly complex and changing network attacks.
1. Outdated software and systems**: Many of Maersk’s computer terminals were still using Microsoft’s longunsupported Windows 2000 and Windows XP systems, which lacked security updates and were vulnerable to attacks.
2. Insufficient network security awareness**: Although senior system administrators were aware of network vulnerabilities, they did not implement system upgrades in a timely manner due to their bonuses being tied to the uptime of the current infrastructure rather than to upgrades.
3. Complex cyberattack**: The NotPetya ransomware spread through the compromised Ukrainian financial software MeDoc and leveraged tools leaked from the U.S. National Security Agency, such as EternalBlue and EternalRomance, enabling attackers to remotely access and control infected systems.
4. Lack of a comprehensive network backup system**: While Maersk regularly backed up data, it did not have backups for critical domain controllers, which could have led to the collapse of the entire network structure once the attack occurred.
5. Inadequate emergency response**: The emergency response team took a long time to realize the severity of the situation during the attack, delaying the implementation of response measures.
The attack on Maersk was successful primarily due to a combination of factors related to outdated systems, lack of timely updates, and the sophisticated nature of the NotPetya malware:
1. Outdated Software: Maersk was still using older operating systems like Windows 2000 and Windows XP, which were no longer supported by Microsoft. These systems did not receive critical security patches, making them vulnerable to known exploits such as those leveraged by NotPetya.
2. Lack of System Updates: Despite warnings from IT staff about vulnerabilities in the company’s infrastructure, system administrators had not implemented the necessary upgrades, leaving Maersk’s network exposed.
3. Sophisticated Malware: NotPetya was designed not just to extort money, but to cause widespread destruction. It spread quickly through networks, exploiting leaked NSA hacking tools (EternalBlue and EternalRomance) that allowed the attackers to gain remote access and escalate privileges.
4. Supply Chain Attack: The ransomware was initially spread through a compromised software update from MeDoc, a widely used Ukrainian financial software, which Maersk used for local tax filing. This attack vector allowed the malware to enter Maersk’s network through trusted third-party channels.
5. Failure in Backups: Although Maersk had regular backups, their domain controllers, which were essential for restoring access to the network, were also compromised in the attack. This made it difficult to restore the system quickly.
These factors combined to allow the attack to spread rapidly and shut down Maersk’s global operations, resulting in a significant disruption to its supply chain.
The NotPetya cyberattack on Maersk succeeded due to a combination of key factors:
Weaknesses in Maersk’s IT Infrastructure: The company had outdated software, lacked a robust backup strategy, and underestimated cybersecurity risks, making it vulnerable to the attack.
Sophistication of NotPetya Malware: The malware leveraged vulnerabilities in Ukrainian financial software and exploited NSA-discovered flaws, with the primary goal of irreversibly destroying data rather than merely encrypting it.
Strategic Timing and Rapid Spread: The attack was launched on Ukrainian Independence Day, allowing it to spread swiftly through Maersk’s global network, disrupting operations worldwide.
Insufficient Cyberattack Preparedness: Without an effective incident response plan, Maersk faced delays in recovery, leading to significant financial and operational losses.
The attack succeeded due to three main issues:
1.Outdated Software: Maersk used old systems like Windows 2000 and XP, which lacked security updates and were highly vulnerable.
2.Network Architecture: The company had 150 domain controllers that were all infected simultaneously, causing a total network collapse.
3.Lack of Preparedness: Despite warnings, Maersk had not fully implemented necessary upgrades, leaving its infrastructure susceptible to a catastrophic failure.
The cyberattack on Maersk by NotPetya was successful due to a variety of factors:
Maersk’s IT infrastructure had vulnerabilities, including outdated software, insufficient backup strategies, and an underestimation of cybersecurity threats.
The NotPetya malware was complex, utilizing vulnerabilities in Ukrainian financial software and those previously discovered by the NSA, and was designed to irreversibly destroy data.
The attack was well-timed and coordinated, initiated on Ukrainian Independence Day and rapidly disseminated throughout Maersk’s global network.
Maersk was unprepared for a cyberattack, lacking an effective incident response plan, which resulted in delayed recovery and significant costs.
The attack was successful due to several key vulnerabilities:
Outdated IT Systems: Maersk was running Windows 2000 and Windows XP, which had known security flaws and were no longer supported with updates.
Unpatched Software: Even though Microsoft had released a security patch to fix the vulnerability (EternalBlue exploit), Maersk had not applied it across all its systems.
Global Network Connectivity: The malware spread rapidly through Maersk’s interconnected global network, affecting all 150 domain controllers, making recovery difficult.
Phishing and Software Supply Chain Attack: The attackers infiltrated MeDoc’s software update mechanism, exploiting the trust relationship between businesses and their software providers.
The NotPetya cyberattack on Maersk was successful due to a combination of aspects and factors:
Vulnerabilities in Maersk’s IT Infrastructure: Outdated software, inadequate backup strategies, and underestimation of cybersecurity risks.
Complexity of NotPetya Malware: Exploiting Ukrainian financial software and NSA vulnerabilities for attacks, and designed to permanently destroy data.
Timing and Coordination of the Attack: Launching on Ukrainian Independence Day and quickly spreading across Maersk’s global network.
Lack of Preparedness for a Cyberattack: No effective incident response plan, leading to slow recovery and high costs.
Due to some critical vulnerabilities, the attack was successful:
Poor IT hygiene: Despite internal warnings, delayed upgrades and backups expose the system. Domain controllers lack independent backups, and IT personnel prioritize normal operating time over updates.
Supply chain vulnerability: Malicious software spreads through trusted third-party software updates (MeDoc), bypassing traditional defenses.
Network interconnectivity: Once entered, malicious software will rapidly spread within Maersk’s global integrated network, while disabling all 150 domain controllers.
Outdated systems: Maersk uses unsupported Windows 2000 and XP systems, which lack security patches for vulnerabilities such as EternalBlue.
First, Maersk’s information systems had obvious security gaps. Some of the company’s computers still use outdated Windows operating systems, which are no longer officially supported and have a number of known security holes. It was these vulnerabilities that the attackers exploited to successfully breach Maersk’s network.
Secondly, Maersk’s awareness and investment in cybersecurity is insufficient. Although company system administrators had warned of security risks in the network, for various reasons, these warnings were not heeded enough. The company failed to upgrade and patch in a timely manner, leaving the system exposed for a long time.
Finally, supply chain security vulnerabilities are also important reasons for the success of this attack. By infecting the Ukrainian financial software MeDoc, the attackers exploited supply chain relationships to spread the malware, eventually affecting several multinational companies, including Maersk. This shows that in a highly connected global economy, a security breach at any one link can have a serious impact on the entire supply chain.
The attack was successful because Maersk had poor cybersecurity hygiene, including unpatched systems, weak network segmentation, and outdated infrastructure. The NotPetya malware exploited Microsoft Windows vulnerabilities (EternalBlue and EternalRomance), which Maersk had not fully patched, allowing it to spread rapidly across the company’s interconnected global network. Additionally, all 150 of Maersk’s domain controllers were wiped out simultaneously, making recovery nearly impossible. The lack of proper segmentation between critical and non-critical systems further enabled the malware to propagate unchecked, leading to a complete shutdown of Maersk’s operations.
1.System vulnerability : The attacker took advantage of the outdated Windows 2000 server software and Windows XP operating system used by Maersk, which has not received a security patch because Microsoft had stopped supporting it. This allows an attacker to break into the system through these known vulnerabilities.
2.Defects of the backup strategy : Although Maersk has a good habit of backing up data regularly, key domain controller data is missing in the backup. The domain controller is the “central nervous system” of the network, responsible for user authentication and resource access. Because all domain controllers are attacked by the same malware at the same time, the entire network structure is permanently lost.
3.Lack of emergency preparedness : Although the senior system administrator warned of the vulnerability of the network, the company leadership-approved upgrade was never implemented because the system administrator bonus was linked to the uptime of the current infrastructure rather than the installation upgrade. This suggests a lack of adequate preparedness and contingency plans to address cyber attacks.
4. Supply chain attack: The attacker uses the update mechanism of the third-party editing tool, which is a supply chain attack. The attackers attack other organizations through this channel, while they themselves become targets. The success of this attack approach demonstrates the importance of supply chain security.
5.Concealed and destruction of attacks: An attacker uses advanced attack tools such as Eternal Blue and Eternal Romance, which can remotely access the infected system and increase permissions, allowing the attacker to control and modify the system without being detected. In addition, NotPetya attacks masquerade as ransomware, but the real purpose is to permanently destroy and disable infected systems and networks.
To sum up, the success of the attack is the result of the Maersk company’s system vulnerabilities, backup strategy defects, lack of emergency preparedness, and the concealment and destruction of supply chain attacks.
The attack was successful due to several factors:
Compromised Software Update: The attackers exploited a compromised software update mechanism to distribute the malware. This allowed the malware to spread rapidly and infect a large number of systems without requiring user interaction.
Lack of Patches: The vulnerability exploited by the attackers had been known for some time, but many organizations, including Maersk, had not applied the necessary patches. This lack of timely patching left systems vulnerable to attack.
Centralized Architecture: Maersk’s IT infrastructure relied heavily on a centralized domain controller architecture. When the domain controllers were compromised, it affected the entire network, leading to a widespread shutdown of operations.
1. Outdated Systems: Maersk used old operating systems like Windows 2000 and Windows XP, which were no longer supported by Microsoft and lacked critical security patches.
2. Lack of System Upgrades: Despite warnings from senior system administrators, necessary upgrades were not implemented due to concerns about system downtime.
3. Inadequate Backup Strategy: While data backups were in place, the domain controllers were not adequately protected, resulting in the complete loss of the network structure.
4. Global Network Vulnerability: The interconnected nature of Maersk’s global network allowed the malware to spread rapidly, infecting all 150 domain controllers simultaneously.
The NotPetya ransomware attack on Maersk was successful due to the following key vulnerabilities:
Outdated IT Systems:Maersk was using Windows 2000 and Windows XP, which had well – known security flaws and were no longer receiving updates. This made its systems highly vulnerable to attacks.
Unpatched Software:Despite Microsoft releasing a security patch to address the vulnerability (EternalBlue exploit), Maersk failed to apply it across all its systems. As a result, the unpatched systems were easy targets for the malware.
Global Network Connectivity:The malware spread quickly through Maersk’s interconnected global network. It affected all 150 domain controllers, making the recovery process extremely difficult. The extensive global network connectivity, which was supposed to facilitate business operations, instead became a conduit for the rapid spread of the malware.
Phishing and Software Supply Chain Attack:The attackers managed to infiltrate MeDoc’s software update mechanism. By exploiting the trust relationship between businesses and their software providers, they were able to introduce the malware into Maersk’s systems through the software update process, which is a form of phishing and software supply chain attack.
Multiple factors led to Maersk’s vulnerability during the NotPetya incident. Maersk’s IT setup had major flaws, with some computers using obsolete Windows systems that were unpatched and had numerous security holes, exploited by attackers. The firm also showed low cybersecurity awareness and investment. Even though system admins flagged risks, Maersk failed to upgrade and patch promptly, leaving its systems at risk. Further, supply chain security lapses were a key factor. Attackers infected the Ukrainian MeDoc financial software and used supply chain ties to spread malware, affecting Maersk and others. This reveals that in today’s linked – up global business world, one weak security link can trigger extensive problems across the whole supply chain network.
1. Outdated software: Maersk had ancient Windows 2000 server software and many PC terminals still ran on Windows XP, for which Microsoft had long discontinued support. As a result, these systems did not receive security patches, leaving them vulnerable to attacks.
2. Lack of system upgrades: Although the senior leadership team had approved system upgrades, the systems administrators, whose bonuses depended on current infrastructure uptime, did not implement them. This negligence left the company’s network exposed.
3. Failure to account for a comprehensive backup: Maersk made regular data backups, but it did not consider the possibility of all 150 domain controllers being hit simultaneously. The domain controllers, which were the central nervous system of the network, were crucial for identity management and resource access. When all of them were wiped out by the malware, the company’s entire network structure was lost.
4. Communication disruptions: The cyberattack disabled Maersk’s email, messaging, and phone systems. This made it difficult for the emergency – response centre to communicate with key IT staff at different domain controller sites, hampering the recovery efforts.
The attack was successful due to several key factors:
1. Unpatched Vulnerabilities: The outdated Windows systems used by Maersk were not updated with the latest security patches, making them vulnerable to known exploits.
2. Simultaneous Domain Controller Attack: The malware targeted all 150 domain controllers simultaneously, which are essential for network management. This wiped out the entire network structure in one go.
3. Lack of Proactive Security Measures: Maersk’s systems were not regularly updated or maintained, and there was no proactive approach to cybersecurity, leaving the company ill-prepared to handle such a sophisticated attack.
The success of the NotPetya cyber attack on Maersk was the result of a combination of inadequate internal cyber security measures, the exploitation of external threats, and cyber warfare triggered by the situation in Ukraine. While Maersk followed best practices when it came to data backup, it was missing a backup of key domain controllers, which are responsible for mapping the company’s network and authorizing user access. In the attack, all 150 domain controllers were simultaneously hit by the malware, resulting in the loss of the entire network structure. NotPetya is a highly sophisticated ransomware that exploits NSA vulnerabilities (such as EternalBlue and EternalRomance) that were originally used for Internet surveillance. The compromised vulnerability allows the attacker to remotely access the infected system and install additional software on the system, stealing data and passwords. After the 2014 Ukraine crisis, Russia began launching cyber attacks on Ukraine’s economy and infrastructure in support of Pro-Russian forces. Maersk, a company that does business in the region, was attacked using MeDoc software, which in turn infected its global network.
The attack on Maersk was successful mainly due to:
1、Outdated Systems: Maersk used old Windows operating systems that were no longer supported and lacked security updates.
2、Software Exploits: Attackers used known vulnerabilities in Windows systems to gain access and spread malware.
3、Phishing Attacks: Employees fell for phishing emails, which allowed malware to enter the network.
4、Network Vulnerabilities: The company’s network architecture had a single point of failure, and all domain controllers were hit simultaneously.
5、Lack of Updates: Necessary system upgrades and security patches had not been implemented despite warnings.
6、Inadequate Backup Strategy: The backup plan did not account for the simultaneous compromise of all domain controllers.
These factors allowed the attackers to successfully infiltrate and disrupt Maersk’s operations.
1. Outdated IT infrastructure: Maersk uses Windows 2000 and Windows XP, which no longer receive security updates from Microsoft.
2. Interconnected Global Network: Maersk’s global operations rely on a highly interconnected network. Once ransomware infiltrates one part of a network, it can quickly spread to the entire system.
3. Third-party software vulnerability: Maersk trusted the software and its updates, which allowed the malware to infiltrate its systems.
5. Delayed response: The attack crippled Maersk’s email, messaging and phone systems, making it difficult to coordinate an immediate response.
1) Technical vulnerabilities
Unrepaired Known Vulnerabilities (CVE)
Root cause of the problem: The patch management process is lagging behind, and the vulnerability scanning tool has not covered all assets.
2) Human factors and internal threats
Social Engineering Attack
Root cause of the problem: Employees lack safety awareness training and have not activated Multi Factor Authentication (MFA).
3) Organizational processes and governance deficiencies
Security response lag
Root cause of the problem: The incident response plan (IRP) is not regularly practiced, resulting in a lengthy decision-making chain.
The NotPetya ransomware attack on Maersk was successful due to multiple critical vulnerabilities within the company’s IT infrastructure.
Firstly, Maersk had poor IT hygiene. Despite internal warnings, there were significant delays in system upgrades and backups. Domain controllers lacked independent backups, and IT personnel placed more emphasis on maintaining normal operating time rather than carrying out necessary updates. This left the systems exposed and vulnerable.
Secondly, the supply chain proved to be a weak link. Malicious software infiltrated through updates of trusted third – party software, specifically MeDoc, bypassing traditional security defenses.
Thirdly, Maersk’s extensive network interconnectivity became a liability. Once the malware entered the system, it spread rapidly throughout Maersk’s global integrated network, disabling all 150 domain controllers at once.
Finally, the use of outdated systems, such as unsupported Windows 2000 and XP which lacked security patches for vulnerabilities like EternalBlue, compounded the problem. Weak network segmentation between critical and non – critical systems also allowed the malware to propagate freely. As a result, Maersk’s operations came to a complete halt, and recovery was made extremely difficult.
he attack on the Maersk Hangzhou in 2024 was successful because the Houthi armed group in Yemen, which supports Hamas, intended to influence the situation in the Red Sea region and express its political stance by attacking commercial ships. The group used coastal missile batteries, loitering munitions, and fast – attack craft to launch attacks. Despite the protection provided by Operation Prosperity Guardian, the Maersk Hangzhou was still hit by a missile and faced an attempted boarding.
The NotPetya ransomware attack on Maersk was successful due to a combination of factors, including vulnerabilities in software, inadequate cybersecurity measures, and the interconnected nature of global business networks.It was a combination of outdated software, inadequate cybersecurity measures, and the interconnected nature of Maersk’s global network. The attack underscores the importance of regular software updates, robust patch management, network segmentation, and comprehensive backup and recovery strategies. It also highlights the need for continuous employee training to recognize and avoid phishing attempts. Maersk’s experience serves as a cautionary tale for other organizations to prioritize cybersecurity and be prepared for such incidents.
The NotPetya attack was successful because it exploited vulnerabilities in the MeDoc software supply chain, and Maersk’s network had a large number of old, unupdated software (such as Windows 2000 and Windows XP) that were vulnerable to infection due to a lack of security patches. At the same time, Maersk’s network lacked effective segmentation isolation measures, which allowed the malware to quickly spread across the global network, eventually resulting in a complete system crash.
Maersk’s cargo ships were not directly attacked, but its IT systems were severely impacted by the NotPetya ransomware. The malware initially spread through the Ukrainian financial software MeDoc, which was compromised via its update mechanism. When Maersk employees used infected computers, the malware infiltrated the company’s internal network.
Once inside, NotPetya exploited unpatched Windows vulnerabilities (EternalBlue and EternalRomance) to gain administrative access and spread rapidly. Due to weak network segmentation and outdated security controls, all 150 of Maersk’s domain controllers were wiped out, causing a complete shutdown of its global IT infrastructure. This led to major disruptions in cargo ship operations, port activities, and global trade, highlighting the risks of cyber threats in an increasingly digitalized industry.
The attack succeeded because of several critical vulnerabilities:
1. Inadequate IT Hygiene
Despite internal alerts, Maersk faced issues due to postponed upgrades and backups. The system was left exposed as domain controllers didn’t have independent backups. IT staff placed more importance on maintaining normal operating hours rather than carrying out necessary updates. This negligence created loopholes that attackers could exploit.
2. Supply Chain Weakness
The malware managed to spread via trusted third – party software updates from MeDoc. Since these updates came from a seemingly reliable source, they bypassed traditional security defenses. This vulnerability within the supply chain highlights how a single compromised link can have far – reaching consequences for an entire organization like Maersk.
3. High – level Network Interconnectivity
Once the malicious software entered Maersk’s network, it took full advantage of the company’s global integrated network. It spread at a rapid pace and was able to disable all 150 domain controllers. The high degree of interconnectivity, which is usually an asset for business operations, became a liability in the face of a cyber – attack.
4. Use of Outdated Systems
Maersk was still using Windows 2000 and XP systems, which were no longer supported. These systems lacked the security patches needed to protect against vulnerabilities like EternalBlue. By relying on such outdated technology, Maersk left itself open to exploitation by attackers who were aware of these unpatched weaknesses.
The NotPetya ransomware attack on Maersk succeeded because of several key vulnerabilities in its IT infrastructure, including poor IT hygiene with significant delays in system upgrades and backups, domain controllers lacking independent backups, and IT staff prioritizing normal operating time over updates; a weak supply chain where malware infiltrated via updates of the trusted third-party software MeDoc bypassing security defenses; the company’s extensive network interconnectivity that enabled rapid malware spread throughout its global integrated network and disabled all 150 domain controllers at once; and the use of outdated systems like unsupported Windows 2000 and XP without security patches for vulnerabilities such as EternalBlue, along with weak network segmentation between critical and non-critical systems, leading to a complete halt of Maersk’s operations and making recovery extremely challenging.
The attack exploited multiple vulnerabilities:
A. Outdated Systems: Maersk used unsupported Windows 2000/XP systems, leaving them unpatched against known exploits like EternalBlue.
B. Supply Chain Compromise: NotPetya was disguised as a legitimate MeDoc update, leveraging trust in software vendors to bypass defenses.
C. Weak Backup Strategy: While Maersk backed up data, its domain controllers (central network directories) were not isolated, allowing the malware to wipe out all 150 nodes simultaneously.
D. Slow Response: Delayed recognition of the attack and communication failures (email/phone outages) hindered containment, exacerbating damage.
Maersk’s cyber attack was not accidental, it involved a number of factors, these factors are intertwined, together leading to the success of the attack.
The attackers exploited outdated software and operating systems used by Maersk, such as the Windows 2000 server software and the Windows XP operating system. Because Microsoft has discontinued support for these systems, they cannot get the latest security patches. This is like a house without a doorman and with broken Windows and doors, an attacker can easily break into the system through these known vulnerabilities. With the rapid development of information technology, old systems often become a hotbed of security risks, and hackers can easily find ways to invade with the help of public vulnerability information.
The attackers used advanced attack tools such as EternalBlue and EternalRomance, which enable remote access to infected systems and elevate permissions, allowing the attackers to control and modify the system without being detected. In addition, the NotPetya attack, while disguised as ransomware, was intended to permanently damage and disable infected systems and networks. This invisibility and destructiveness greatly increases the difficulty of defense. Attackers are like assassins lurking in the shadows, quietly disrupting the core functions of the system, and enterprises often do not realize that the attack has occurred until they have suffered serious damage.
From another perspective, infected software update mechanisms facilitate the spread of malware, allowing it to spread quickly and infect a large number of systems without user intervention. At the same time, many organizations, including Maersk, failed to patch known vulnerabilities in a timely manner, leaving their systems vulnerable for a long time. In addition, Maersk’s highly dependent centralized domain controller architecture brought the entire network to a standstill after the domain controller was compromised, further amplifying the reach and damage of the attack. These factors combined, together contributed to the success of the attack, but also sounded the alarm for other enterprises in the information security protection need to comprehensively examine their own system architecture, security strategy and emergency response mechanism and other levels, in order to effectively resist the increasingly complex and changing network attacks.
1. Outdated software and systems**: Many of Maersk’s computer terminals were still using Microsoft’s longunsupported Windows 2000 and Windows XP systems, which lacked security updates and were vulnerable to attacks.
2. Insufficient network security awareness**: Although senior system administrators were aware of network vulnerabilities, they did not implement system upgrades in a timely manner due to their bonuses being tied to the uptime of the current infrastructure rather than to upgrades.
3. Complex cyberattack**: The NotPetya ransomware spread through the compromised Ukrainian financial software MeDoc and leveraged tools leaked from the U.S. National Security Agency, such as EternalBlue and EternalRomance, enabling attackers to remotely access and control infected systems.
4. Lack of a comprehensive network backup system**: While Maersk regularly backed up data, it did not have backups for critical domain controllers, which could have led to the collapse of the entire network structure once the attack occurred.
5. Inadequate emergency response**: The emergency response team took a long time to realize the severity of the situation during the attack, delaying the implementation of response measures.
The attack on Maersk was successful primarily due to a combination of factors related to outdated systems, lack of timely updates, and the sophisticated nature of the NotPetya malware:
1. Outdated Software: Maersk was still using older operating systems like Windows 2000 and Windows XP, which were no longer supported by Microsoft. These systems did not receive critical security patches, making them vulnerable to known exploits such as those leveraged by NotPetya.
2. Lack of System Updates: Despite warnings from IT staff about vulnerabilities in the company’s infrastructure, system administrators had not implemented the necessary upgrades, leaving Maersk’s network exposed.
3. Sophisticated Malware: NotPetya was designed not just to extort money, but to cause widespread destruction. It spread quickly through networks, exploiting leaked NSA hacking tools (EternalBlue and EternalRomance) that allowed the attackers to gain remote access and escalate privileges.
4. Supply Chain Attack: The ransomware was initially spread through a compromised software update from MeDoc, a widely used Ukrainian financial software, which Maersk used for local tax filing. This attack vector allowed the malware to enter Maersk’s network through trusted third-party channels.
5. Failure in Backups: Although Maersk had regular backups, their domain controllers, which were essential for restoring access to the network, were also compromised in the attack. This made it difficult to restore the system quickly.
These factors combined to allow the attack to spread rapidly and shut down Maersk’s global operations, resulting in a significant disruption to its supply chain.
The NotPetya cyberattack on Maersk succeeded due to a combination of key factors:
Weaknesses in Maersk’s IT Infrastructure: The company had outdated software, lacked a robust backup strategy, and underestimated cybersecurity risks, making it vulnerable to the attack.
Sophistication of NotPetya Malware: The malware leveraged vulnerabilities in Ukrainian financial software and exploited NSA-discovered flaws, with the primary goal of irreversibly destroying data rather than merely encrypting it.
Strategic Timing and Rapid Spread: The attack was launched on Ukrainian Independence Day, allowing it to spread swiftly through Maersk’s global network, disrupting operations worldwide.
Insufficient Cyberattack Preparedness: Without an effective incident response plan, Maersk faced delays in recovery, leading to significant financial and operational losses.
The attack succeeded due to three main issues:
1.Outdated Software: Maersk used old systems like Windows 2000 and XP, which lacked security updates and were highly vulnerable.
2.Network Architecture: The company had 150 domain controllers that were all infected simultaneously, causing a total network collapse.
3.Lack of Preparedness: Despite warnings, Maersk had not fully implemented necessary upgrades, leaving its infrastructure susceptible to a catastrophic failure.
The cyberattack on Maersk by NotPetya was successful due to a variety of factors:
Maersk’s IT infrastructure had vulnerabilities, including outdated software, insufficient backup strategies, and an underestimation of cybersecurity threats.
The NotPetya malware was complex, utilizing vulnerabilities in Ukrainian financial software and those previously discovered by the NSA, and was designed to irreversibly destroy data.
The attack was well-timed and coordinated, initiated on Ukrainian Independence Day and rapidly disseminated throughout Maersk’s global network.
Maersk was unprepared for a cyberattack, lacking an effective incident response plan, which resulted in delayed recovery and significant costs.