1. The NotPetya malware was disguised as a routine software update for MeDoc, a Ukrainian tax and accounting software.
2. Employees unknowingly installed the update, which contained the malicious code.
3. The malware used the EternalBlue and EternalRomance exploits (leaked NSA tools) to spread across Maersk’s entire IT infrastructure.
4. All domain controllers were wiped out, effectively erasing the entire network’s authentication system.
5. Shipping operations collapsed, forcing Maersk to switch to manual processes (pen and paper) to keep some operations running.
6. The company discovered an uninfected backup in Ghana, which helped restore its systems after an intense recovery operation.
7. The attack cost Maersk an estimated $300 million in damages, IT replacements, and lost business.
Initial Infection: MeDoc employees opened phishing emails containing malicious software, allowing attackers to gain access to MeDoc’s network.
Dormant Propagation: Attackers stole data and credentials, enabling them to move laterally within the network and potentially target other organizations using MeDoc. NotPetya remained dormant for five days until the eve of Ukrainian Constitution Day, suggesting a politically motivated attack likely sponsored by a state actor aligned with Russia.
Attack Execution and Spread: On June 27, NotPetya was activated, encrypting files and displaying a fake ransomware payment screen.
Impact on Maersk: Maersk’s entire network was shut down, impacting operations globally. Shipping terminals were closed, and manual processes had to be implemented, causing significant delays and financial losses. The attack also resulted in the permanent loss of data on infected devices that were not backed up, including critical business and personal information.
The attack unfolded in stages:
Initial Compromise: Hackers infiltrated MeDoc via phishing, embedding NotPetya into a legitimate software update distributed to users, including Maersk’s Ukrainian operations.
Exploitation: The malware exploited unpatched Windows vulnerabilities to gain control of systems, steal credentials, and spread laterally.
Global Propagation: NotPetya encrypted data and destroyed Maersk’s domain controllers, rendering the network inoperable. Critical systems (email, phones, logistics) collapsed.
Recovery Challenges: Only a single domain controller in Ghana (saved by a power outage) allowed partial restoration. Maersk manually rebuilt its IT infrastructure, reinstalling 4,000 servers and 45,000 PCs in 10 days.
In fact, the Maersk, as a cargo ship, was not directly attacked by the cyber attack itself. Instead, Maersk, the freighter’s operator, had its information systems hit by a ransomware attack called NotPetya.
Specifically, the attackers first infected the Ukrainian financial software MeDoc, and then used supply chain relationships to spread the malware to a number of multinational companies, including Maersk. When Maersk employees were using computers infected with the malware to go about their daily operations, the malware took the opportunity to infiltrate the company’s information systems.
Once the breach is successful, the malware quickly spreads through the company’s internal network, causing systems to crash and data to be encrypted. As Maersk’s information system is the core of its global business operations, the attack has caused a huge impact on Maersk, including cargo ship operations blocked, port operations halted, etc. Although the Maersk freighter itself was not directly damaged, Maersk as a whole suffered a serious cyber attack.
The Maersk attack happened through the NotPetya malware, which initially spread via MeDoc, a Ukrainian tax software used by companies operating in Ukraine. Attackers compromised MeDoc’s software update mechanism, inserting malware that executed automatically when users installed the update. Once inside Maersk’s network, NotPetya exploited unpatched Microsoft Windows vulnerabilities (EternalBlue and EternalRomance) to gain administrative privileges and spread laterally across all connected systems. Due to poor network segmentation and outdated security controls, the malware wiped out all 150 of Maersk’s domain controllers, leading to a complete shutdown of its global IT infrastructure.
On June 27,2017, A. P. Møller-Maersk suffered a serious cyber attack that disabled the company’s global network system. The attack was caused by a ransomware software called NotPetya that specifically targeted the MeDoc finance program in Ukraine. Attackers took advantage of vulnerabilities leaked by the National Security Agency (NSA), such as Eternal Blue and Eternal Romance, that allow attackers to remotely access infected systems. When the attack occurred, Maersk’s IT support team was meeting in London, suddenly monitoring that all the systems had turned red, and then all the laptops began to restart automatically. The attack quickly spread to the company’s global network, causing the company to manually manage its shipping operations as the online system became unavailable. The attack resulted in the company having to reinstall 45,000 PCs and 4,000 servers in order to restore its IT infrastructure. The attack brought huge economic losses and operational challenges to Maersk, and the company had to take emergency measures to deal with the crisis.
The Maersk attack unfolded in the following sequence:
Initial Infection: The NotPetya ransomware was spread through a compromised software update from a third-party vendor. When Maersk’s systems downloaded and installed this update, they became infected with the malware.
Domain Controller Compromise: The malware quickly spread through Maersk’s network, eventually compromising the domain controllers. The domain controllers are the central authentication and access control points for the network, so their compromise had severe consequences.
1. Initial Infection: The NotPetya ransomware entered Maersk’s network through a compromised software update from a Ukrainian tax filing program called MeDoc.
2. Rapid Spread: Once inside the network, the malware exploited vulnerabilities in Microsoft Windows to gain access and escalate privileges, allowing it to spread quickly across the entire network.
3. Network Shutdown: The malware encrypted data and wiped out the domain controllers, causing the entire network to go down. Maersk’s IT team had to shut down the network manually, but the damage was already done.
4. Recovery Challenges: The attack wiped out all 150 domain controllers, making network recovery extremely difficult. Maersk had to rely on a backup domain controller from Ghana, which had been offline during the attack, to restore its network infrastructure.
Initial Infection and Dormant Propagation:The attack on Maersk started with MeDoc employees opening phishing emails containing malicious software, which gave attackers access to MeDoc’s network. The attackers then stole data and credentials, allowing lateral movement within the network. NotPetya remained dormant for five days until the eve of Ukrainian Constitution Day, indicating a politically – motivated state – sponsored attack, likely by a Russian – aligned actor.
Attack Execution and Spread:On June 27, NotPetya was activated. It encrypted files and showed a fake ransomware payment screen. The malware spread quickly, taking advantage of Maersk’s interconnected global network, affecting all 150 domain controllers.
Impact on Maersk:Maersk’s entire network was shut down, leading to global operational disruptions. Shipping terminals were closed, and manual processes had to be adopted, causing significant delays and financial losses. Moreover, there was permanent data loss on infected, non – backed – up devices, including crucial business and personal information.
The NotPetya attack started when MeDoc employees opened phishing emails, giving attackers access to MeDoc’s network. Over five days, attackers stole data and credentials, remaining dormant until Ukrainian Constitution Day eve, likely part of a state – sponsored political attack. On June 27, NotPetya activated, encrypting files with a fake ransom screen. Maersk suffered greatly, with its global network down, shipping terminals closed, and manual operations causing delays and losses. Infected, unbacked – up devices also lost critical data.
1. Initial infection: In the weeks leading up to the attack, MeDoc employees opened phishing emails containing malware attachments or linked to malware servers. The attackers used leaked NSA exploits like EternalBlue and EternalRomance. EternalBlue allowed remote access to infected systems through vulnerable Microsoft Windows’ file and printer sharing protocols, and EternalRomance escalated privileges to control and modify systems without detection.
2. Spread through the network: Once the computers were infected, the attackers could install other software, monitor communications, and steal data and passwords. Using these stolen passwords, they were able to hide the NotPetya ransomware in a software update that was pushed out to MeDoc customers on June 22, 2017. When the malware activated on June 27, it spread through infected networks at an unprecedented speed. It started with unscheduled reboots of computers, followed by encoding of the master boot record. A fake ransomware payment screen was then displayed, but in fact, the malware aimed to permanently destroy and disable infected systems and networks.
3. Impact on Maersk: Maersk’s systems started to show signs of the attack when monitoring screens turned red and laptops began to reboot simultaneously across the company’s global network. The company’s network took more than two hours to shut down as employees struggled to communicate through alternative means like WhatsApp and personal phones. The domain controllers, which were essential for the network’s operation, were all compromised, leading to a complete network outage. This, in turn, caused shipping terminals around the world to become backlogged as Maersk had to close terminals and manage shipments manually, resulting in a significant disruption to its operations.
The attack on Maersk occurred due to a sophisticated cyberattack involving the NotPetya ransomware. This malware targeted the company’s outdated Windows systems, which had not been updated with the latest security patches. The attack was particularly effective because it simultaneously hit all 150 domain controllers across Maersk’s global network, causing a complete loss of network connectivity and data.
The NotPetya ransomware utilized leaked NSA exploits, such as EternalBlue and EternalRomance, to gain remote access and control over infected systems. These vulnerabilities were well-known but had not been addressed by Maersk’s outdated systems.
The attack spread rapidly, affecting multiple countries and regions where Maersk operated. This led to significant disruptions in shipping operations and caused substantial financial losses for the company.
It is important to note that this cyberattack underscores the need for companies to prioritize cybersecurity measures, including regular updates and patching of systems, to protect against such threats.
Maersk was attacked due to the inadequacy of the company’s internal cyber security measures, the exploitation of external threats, and the cyber warfare triggered by the situation in Ukraine. NotPetya is a highly sophisticated ransomware that exploits NSA vulnerabilities (such as EternalBlue and EternalRomance) that were originally used for Internet surveillance. The compromised vulnerability allows the attacker to remotely access the infected system and install additional software on the system, stealing data and passwords.
In 2014, after the Ukraine crisis, Maersk, a company that does business in the region, was attacked using MeDoc software, which led to its global network being infected. NotPetya not only encrypts its victims’ data, it also attempts to permanently damage and disable infected systems and networks. This method of attack makes it impossible to recover data even if a ransom is paid, further exacerbating the damage of the attack.
The attack on Maersk happened through a combination of phishing and software supply chain compromise:
1. Phishing Emails: Employees of MeDoc, a Ukrainian financial software company, opened phishing emails containing malware attachments or links to malware servers.
2. Software Supply Chain: The attackers used the compromised MeDoc software to distribute the NotPetya ransomware through a software update pushed to MeDoc customers.
3. Exploitation of Vulnerabilities: The attackers leveraged leaked NSA exploits like EternalBlue and EternalRomance, which targeted vulnerabilities in Microsoft Windows’ file and printer sharing protocols.
4. Network Infiltration: Once inside the network, the malware spread rapidly, encrypting data and rendering systems inoperable.
5. Simultaneous Attack: The attack was timed to coincide with Ukrainian Constitution Day, causing maximum disruption.
This sequence of events allowed the attackers to successfully infiltrate and disrupt Maersk’s operations.
The NotPetya ransomware was hidden in a software update for MeDoc, a Ukrainian financial program used by Maersk for local tax filings, and was introduced into the company’s systems when Maersk employees in Ukraine installed the update, taking advantage of an advanced vulnerability leaked by the U.S. National Security Agency (NSA). Such as EternalBlue and EternalRomance, these vulnerabilities allow attackers to remotely access Maersk’s systems and upgrade permissions without being detected. The ransomware quickly spread to the company’s global infrastructure. It encrypts files and corrupts data, making the system unusable.
1) Initial infection:
Maersk’s branch in Ukraine used infected MEDoc software, through which malicious update packages entered the Maersk network.
After executing NotPetya locally, encrypting the Master Boot Record (MBR) of the hard drive resulted in the system being unable to start and displaying false ransomware messages (data cannot actually be recovered).
2) Horizontal diffusion:
The attack exploited an unrepaired Windows vulnerability (MS17-010) and weak credentials to rapidly infect over 4000 servers and 45000 terminal devices in more than 200 countries worldwide.
Maersk’s Active Directory (AD) domain controller was breached, and attackers pushed malicious loads to all networked devices through the domain controller.
3) Business interruption:
Port operation paralysis: The container management system (TOS) of key hubs such as Rotterdam Port in the Netherlands and Newark Port in the United States has crashed, unable to handle cargo loading and unloading.
Logistics stagnation: Customers are unable to track goods or book shipping space through Maersk Line’s online platforms.
Data loss: Some business data that has not been backed up (such as customer orders) has been permanently encrypted and destroyed.
The NotPetya cyber – attack on Maersk unfolded in a series of stages with far – reaching consequences. It began with the initial infection when MeDoc employees opened phishing emails containing malicious software, giving attackers access to MeDoc’s network. Subsequently, during the dormant propagation phase, attackers stole data and credentials, facilitating lateral movement within the network and potentially targeting other organizations using MeDoc. The malware remained dormant for five days until the eve of Ukrainian Constitution Day, indicating a likely state – sponsored, politically motivated attack.
On June 27, NotPetya was activated. It encrypted files and presented a fake ransomware payment screen. Maersk, an operator in the shipping industry, was severely impacted. Its entire network was shut down, leading to the closure of shipping terminals globally. Manual processes had to be hastily implemented, resulting in significant delays and substantial financial losses. Additionally, data on infected devices that were not backed up, including critical business and personal information, was permanently lost.
The attackers first compromised the Ukrainian financial software MeDoc and then exploited supply chain relationships to spread the malware to multinational companies like Maersk. When Maersk employees used malware – infected computers in their daily work, the malware infiltrated the company’s information systems. Once inside, it rapidly spread through Maersk’s internal network, crashing systems and encrypting data. Since Maersk’s information system is central to its global business operations, the attack had a massive impact, halting cargo ship and port operations, despite the Maersk freighters not being directly physically damaged.
In June 2017, Maersk was hit by the NotPetya ransomware. The attack originated from malicious code implanted in a Ukrainian tax software update. Maersk had many branches and partners worldwide, and its internal network was closely connected to external suppliers. As a result, the virus quickly spread to Maersk’s systems, affecting more than 45,000 computers, 49 data centers, and thousands of applications.
On December 30, 2023, as the MV Maersk Hangzhou sailed through the Red Sea, it was attacked by Houthi missile batteries at around 8:30 p.m. local time. At least one missile hit the ship. The next day, four Houthi skiffs armed with mounted weapons approached the Maersk Hangzhou, fired upon it, and attempted to board the ship. The freighter’s security contractors engaged the Houthi forces, and the U.S. Navy’s helicopters dispatched to the scene sank three of the Houthi craft, causing the fourth to retreat.
Here’s a detailed breakdown of how the attack happened:
1. Initial Infection Vector
Phishing Emails: The NotPetya ransomware was initially spread through phishing emails sent to employees of Ukrainian companies.
2. Exploitation of Vulnerabilities
EternalBlue and EternalRomance: The attackers used leaked NSA exploits, specifically EternalBlue and EternalRomance, which targeted vulnerabilities in Microsoft Windows’ file and printer sharing protocols.
3. Propagation Across Networks
Global Spread: Once the malware infected a company’s network in Ukraine, it quickly spread to other parts of the global network. Maersk, which had operations in Ukraine and used MeDoc, was one of the companies affected.
4. Impact on Maersk
Simultaneous Infection of Domain Controllers: Maersk operated a network of 150 domain controllers, which are critical for network authentication. Unfortunately, all 150 controllers were infected simultaneously, wiping out the entire network infrastructure.
Maersk was attacked because its operations in Ukraine used hacked MeDoc tax software. The NotPetya malware was inserted into the MeDoc system by attackers disguised as a software update, which then used a network vulnerability to quickly spread from Ukraine to Maersk’s global network, resulting in a complete shutdown of its systems.
Maersk’s cargo ships were not directly attacked, but its IT systems suffered a major blow from the NotPetya ransomware. The malware initially spread through the compromised Ukrainian financial software MeDoc. When Maersk employees used infected computers, the malware infiltrated the company’s network.
NotPetya then exploited unpatched Windows vulnerabilities (EternalBlue and EternalRomance) to gain administrative access and spread rapidly across all connected systems. Due to weak network segmentation and outdated security controls, all 150 of Maersk’s domain controllers were wiped out, causing a total shutdown of its global IT infrastructure. This paralyzed cargo operations, halted port activities, and severely disrupted global trade, underscoring the risks of cyberattacks in the digital age.
The NotPetya debacle began when MeDoc employees, lured by phishing emails, unknowingly opened the door for attackers to infiltrate MeDoc’s network. For five days straight, the malicious actors stealthily pilfered data and credentials, lying low and waiting for the opportune moment. That moment came on the eve of Ukrainian Constitution Day, strongly indicating that this was a politically – motivated, state – sponsored cyber – assault.
Then, on June 27, NotPetya unleashed its havoc. It encrypted files and put up a bogus ransom screen. Maersk, a global shipping giant, was hit hard. Its worldwide network crashed, shipping terminals had to shut down, and reverting to manual operations led to substantial delays and financial setbacks. Adding to the misery, infected devices without proper backups lost vital data, dealing Maersk another heavy blow in this cyber – catastrophe.
Maersk was targeted in an attack due to insufficient internal cybersecurity measures, the leveraging of external threats, and cyber warfare spurred by the Ukraine situation, as NotPetya, a highly advanced ransomware exploiting NSA vulnerabilities like EternalBlue and EternalRomance originally for Internet surveillance, enabled attackers to remotely access and install software on infected systems to steal data and passwords, and in 2014 following the Ukraine crisis, Maersk, operating in the region, was hit via the MeDoc software, resulting in its global network being infected, with NotPetya not only encrypting victims’ data but also attempting to cause permanent damage and disable systems and networks, making data recovery impossible even with ransom payment and thus intensifying the attack’s detrimental impact.
A. Initial Infection: MeDoc users in Ukraine opened phishing emails or links containing malware, which exploited EternalBlue to infiltrate systems.
B. Supply Chain Spread: Attackers compromised MeDoc’s update mechanism, distributing NotPetya as a fake update on June 22, 2017.
C. Global Propagation: The malware used EternalBlue to spread rapidly across networks, encrypting files and rendering systems inoperable. Maersk’s interconnected global network and outdated systems enabled the attack to cripple operations worldwide.
D. Destruction: NotPetya erased data and disabled recovery, mimicking ransomware but offering no decryption keys. Maersk’s reliance on centralized domain controllers meant losing all network access, requiring a herculean effort to rebuild infrastructure manually.
In fact, Maersk itself, as a cargo ship, was not directly hit by the cyber attack, but the information system of its operator, Maersk Group, was hit by a ransomware attack called NotPetya.
(1) Initial infection
The NotPetya ransomware spreads through tainted software updates from third-party vendors. When Maersk’s system downloaded and installed the update, it became infected with the malware. In today’s highly developed information technology, enterprises rely on many third-party software and services, software update is an important means to maintain the normal operation of the system and improve security. However, this dependence also brings risks. If a third-party vendor’s update channel is compromised by an attacker, the company unknowingly installs the update, which opens the door for malware to invade.
(2) The domain controller is compromised
The malware quickly spread through Maersk’s network and eventually compromised the domain controller. As the central authentication and access control point of network, domain controller is compromised, which has very serious consequences. It is like the command center of a country, once occupied by the enemy, the operation of the whole country will be thrown into chaos. In the Maersk network environment, the domain controller controls user authentication and resource access. When it is controlled by malicious software, users in the network cannot log in to the system normally and access key business resources, resulting in the company’s various services cannot be carried out, and the entire information system is paralyzed. This series of incidents not only brought huge economic losses to Maersk, but also sounded the alarm for the supply chain of the global shipping industry, highlighting the urgency and importance of strengthening network security protection, especially to prevent supply chain attacks.
1. Exploiting system vulnerabilities**: Attackers targeted vulnerabilities in Maersk’s outdated Windows systems lacking security updates.
2. Compromised software**: The attack began with phishing emails to MeDoc employees, containing malware attachments or links.
3. Software supply chain attack**: Malware was hidden in a MeDoc software update, infiltrating systems of companies using MeDoc, including Maersk.
4. Network spread**: After infecting one system, the malware spread quickly due to outdated systems and lack of backups.
5. Domain controller attack**: The malware targeted and simultaneously infected all of Maersk’s domain controllers, risking the entire network.
6. Inadequate response**: The delayed emergency response allowed the malware to spread further before the network was shut down.
The Maersk attack occurred on June 27, 2017, when the company was hit by the NotPetya ransomware. Here is how the attack unfolded:
1. Initial Attack Vector: The malware was initially spread through a compromised software update from MeDoc, a Ukrainian tax and accounting software. MeDoc was used by many companies in Ukraine for tax filing, including Maersk. This allowed the malware to spread via the trusted software update mechanism.
2. Exploitation of Vulnerabilities: Once inside Maersk’s network, the NotPetya ransomware exploited known vulnerabilities in older software systems, particularly Microsoft Windows systems, that had not been updated with critical security patches. These vulnerabilities were primarily due to the use of outdated operating systems like Windows 2000 and Windows XP.
3. Propagation of the Malware: NotPetya used tools like EternalBlue (a leaked NSA exploit) to move laterally within Maersk’s network. The malware spread rapidly across Maersk’s global IT infrastructure, infecting domain controllers, PCs, and servers. It disrupted critical communication systems, including email and phone systems.
4. Malware’s Impact: The ransomware caused the systems to crash, encrypting files and rendering them inaccessible. It also wiped the master boot records of infected computers, making recovery impossible unless backups were available. The attack disrupted Maersk’s entire global supply chain, affecting ports, terminals, and shipping operations.
5. Manual Intervention: With the IT systems down, Maersk had to resort to manual processes to manage shipments and communicate with customers. The company’s global network was down for over two hours, and recovery took weeks, requiring the installation of new servers, PCs, and applications.
The attack, attributed to a sophisticated state-sponsored group (likely linked to Russia), caused significant disruption, with Maersk incurring millions in losses due to halted operations, recovery efforts, and compensation to customers.
NotPetya Attack Timeline and Impact on Maersk
Initial Infection: The attack began when MeDoc employees unknowingly opened phishing emails containing malicious software, granting attackers access to MeDoc’s network.
Dormant Spread and Lateral Movement: Once inside, the attackers stole data and credentials, allowing them to move laterally within the network and potentially compromise other organizations using MeDoc. NotPetya remained inactive for five days, only launching on the eve of Ukrainian Constitution Day, suggesting political motives likely tied to Russian state-sponsored actors.
Attack Activation and Propagation: On June 27, NotPetya was triggered, encrypting files and displaying a fraudulent ransom message, though its true intent was data destruction rather than financial extortion.
Impact on Maersk: The attack completely disrupted Maersk’s global network, shutting down shipping terminals and forcing the company to rely on manual operations, causing severe delays and financial losses. Additionally, systems that lacked proper backups suffered permanent data loss, affecting critical business records and personal information.
The Maersk attack happened through the following sequence of events:
1.Initial Infection: The NotPetya malware initially infected Ukrainian systems through a compromised software update of MeDoc, a financial software used by many Ukrainian companies. Maersk’s local operations in Ukraine were also using this software.
2.Spread through Networks: Once the malware infected Maersk’s local systems in Ukraine, it quickly spread across the company’s global network. The malware exploited vulnerabilities in Microsoft Windows systems, such as EternalBlue and EternalRomance, which allowed it to gain access and propagate rapidly.
3.Simultaneous Compromise: Maersk’s network architecture included 150 domain controllers that managed access to the entire IT infrastructure. The malware simultaneously infected all these controllers, effectively wiping out the entire network structure.
4.Global Impact: As a result, Maersk’s entire global IT system went offline, causing operations to grind to a halt. The company had to resort to manual processes and emergency recovery efforts to restore its systems.
1.NotPetya malware disguised as a regular update to the MeDoc software, a Ukrainian software used for taxation and accounting.
2. An employee unknowingly installs an update that contains malicious code.
3. The malware exploited the EternalBlue and EternalRomance vulnerabilities (leaked NSA tools) to spread throughout Maersk’s IT infrastructure.
4. All domain controllers are purged, effectively erasing the entire network authentication system.
5. Shipping operations collapsed, forcing Maersk to switch to manual processes (pen and paper) to keep part of the operation.
6. The company found an uninfected backup in Ghana, which helped restore its system after an intense recovery operation.
7. The attack cost Maersk about $300 million, including IT equipment replacement and loss of business.
1. The NotPetya malware was disguised as a routine software update for MeDoc, a Ukrainian tax and accounting software.
2. Employees unknowingly installed the update, which contained the malicious code.
3. The malware used the EternalBlue and EternalRomance exploits (leaked NSA tools) to spread across Maersk’s entire IT infrastructure.
4. All domain controllers were wiped out, effectively erasing the entire network’s authentication system.
5. Shipping operations collapsed, forcing Maersk to switch to manual processes (pen and paper) to keep some operations running.
6. The company discovered an uninfected backup in Ghana, which helped restore its systems after an intense recovery operation.
7. The attack cost Maersk an estimated $300 million in damages, IT replacements, and lost business.
Initial Infection: MeDoc employees opened phishing emails containing malicious software, allowing attackers to gain access to MeDoc’s network.
Dormant Propagation: Attackers stole data and credentials, enabling them to move laterally within the network and potentially target other organizations using MeDoc. NotPetya remained dormant for five days until the eve of Ukrainian Constitution Day, suggesting a politically motivated attack likely sponsored by a state actor aligned with Russia.
Attack Execution and Spread: On June 27, NotPetya was activated, encrypting files and displaying a fake ransomware payment screen.
Impact on Maersk: Maersk’s entire network was shut down, impacting operations globally. Shipping terminals were closed, and manual processes had to be implemented, causing significant delays and financial losses. The attack also resulted in the permanent loss of data on infected devices that were not backed up, including critical business and personal information.
The attack unfolded in stages:
Initial Compromise: Hackers infiltrated MeDoc via phishing, embedding NotPetya into a legitimate software update distributed to users, including Maersk’s Ukrainian operations.
Exploitation: The malware exploited unpatched Windows vulnerabilities to gain control of systems, steal credentials, and spread laterally.
Global Propagation: NotPetya encrypted data and destroyed Maersk’s domain controllers, rendering the network inoperable. Critical systems (email, phones, logistics) collapsed.
Recovery Challenges: Only a single domain controller in Ghana (saved by a power outage) allowed partial restoration. Maersk manually rebuilt its IT infrastructure, reinstalling 4,000 servers and 45,000 PCs in 10 days.
In fact, the Maersk, as a cargo ship, was not directly attacked by the cyber attack itself. Instead, Maersk, the freighter’s operator, had its information systems hit by a ransomware attack called NotPetya.
Specifically, the attackers first infected the Ukrainian financial software MeDoc, and then used supply chain relationships to spread the malware to a number of multinational companies, including Maersk. When Maersk employees were using computers infected with the malware to go about their daily operations, the malware took the opportunity to infiltrate the company’s information systems.
Once the breach is successful, the malware quickly spreads through the company’s internal network, causing systems to crash and data to be encrypted. As Maersk’s information system is the core of its global business operations, the attack has caused a huge impact on Maersk, including cargo ship operations blocked, port operations halted, etc. Although the Maersk freighter itself was not directly damaged, Maersk as a whole suffered a serious cyber attack.
The Maersk attack happened through the NotPetya malware, which initially spread via MeDoc, a Ukrainian tax software used by companies operating in Ukraine. Attackers compromised MeDoc’s software update mechanism, inserting malware that executed automatically when users installed the update. Once inside Maersk’s network, NotPetya exploited unpatched Microsoft Windows vulnerabilities (EternalBlue and EternalRomance) to gain administrative privileges and spread laterally across all connected systems. Due to poor network segmentation and outdated security controls, the malware wiped out all 150 of Maersk’s domain controllers, leading to a complete shutdown of its global IT infrastructure.
On June 27,2017, A. P. Møller-Maersk suffered a serious cyber attack that disabled the company’s global network system. The attack was caused by a ransomware software called NotPetya that specifically targeted the MeDoc finance program in Ukraine. Attackers took advantage of vulnerabilities leaked by the National Security Agency (NSA), such as Eternal Blue and Eternal Romance, that allow attackers to remotely access infected systems. When the attack occurred, Maersk’s IT support team was meeting in London, suddenly monitoring that all the systems had turned red, and then all the laptops began to restart automatically. The attack quickly spread to the company’s global network, causing the company to manually manage its shipping operations as the online system became unavailable. The attack resulted in the company having to reinstall 45,000 PCs and 4,000 servers in order to restore its IT infrastructure. The attack brought huge economic losses and operational challenges to Maersk, and the company had to take emergency measures to deal with the crisis.
The Maersk attack unfolded in the following sequence:
Initial Infection: The NotPetya ransomware was spread through a compromised software update from a third-party vendor. When Maersk’s systems downloaded and installed this update, they became infected with the malware.
Domain Controller Compromise: The malware quickly spread through Maersk’s network, eventually compromising the domain controllers. The domain controllers are the central authentication and access control points for the network, so their compromise had severe consequences.
1. Initial Infection: The NotPetya ransomware entered Maersk’s network through a compromised software update from a Ukrainian tax filing program called MeDoc.
2. Rapid Spread: Once inside the network, the malware exploited vulnerabilities in Microsoft Windows to gain access and escalate privileges, allowing it to spread quickly across the entire network.
3. Network Shutdown: The malware encrypted data and wiped out the domain controllers, causing the entire network to go down. Maersk’s IT team had to shut down the network manually, but the damage was already done.
4. Recovery Challenges: The attack wiped out all 150 domain controllers, making network recovery extremely difficult. Maersk had to rely on a backup domain controller from Ghana, which had been offline during the attack, to restore its network infrastructure.
Initial Infection and Dormant Propagation:The attack on Maersk started with MeDoc employees opening phishing emails containing malicious software, which gave attackers access to MeDoc’s network. The attackers then stole data and credentials, allowing lateral movement within the network. NotPetya remained dormant for five days until the eve of Ukrainian Constitution Day, indicating a politically – motivated state – sponsored attack, likely by a Russian – aligned actor.
Attack Execution and Spread:On June 27, NotPetya was activated. It encrypted files and showed a fake ransomware payment screen. The malware spread quickly, taking advantage of Maersk’s interconnected global network, affecting all 150 domain controllers.
Impact on Maersk:Maersk’s entire network was shut down, leading to global operational disruptions. Shipping terminals were closed, and manual processes had to be adopted, causing significant delays and financial losses. Moreover, there was permanent data loss on infected, non – backed – up devices, including crucial business and personal information.
The NotPetya attack started when MeDoc employees opened phishing emails, giving attackers access to MeDoc’s network. Over five days, attackers stole data and credentials, remaining dormant until Ukrainian Constitution Day eve, likely part of a state – sponsored political attack. On June 27, NotPetya activated, encrypting files with a fake ransom screen. Maersk suffered greatly, with its global network down, shipping terminals closed, and manual operations causing delays and losses. Infected, unbacked – up devices also lost critical data.
1. Initial infection: In the weeks leading up to the attack, MeDoc employees opened phishing emails containing malware attachments or linked to malware servers. The attackers used leaked NSA exploits like EternalBlue and EternalRomance. EternalBlue allowed remote access to infected systems through vulnerable Microsoft Windows’ file and printer sharing protocols, and EternalRomance escalated privileges to control and modify systems without detection.
2. Spread through the network: Once the computers were infected, the attackers could install other software, monitor communications, and steal data and passwords. Using these stolen passwords, they were able to hide the NotPetya ransomware in a software update that was pushed out to MeDoc customers on June 22, 2017. When the malware activated on June 27, it spread through infected networks at an unprecedented speed. It started with unscheduled reboots of computers, followed by encoding of the master boot record. A fake ransomware payment screen was then displayed, but in fact, the malware aimed to permanently destroy and disable infected systems and networks.
3. Impact on Maersk: Maersk’s systems started to show signs of the attack when monitoring screens turned red and laptops began to reboot simultaneously across the company’s global network. The company’s network took more than two hours to shut down as employees struggled to communicate through alternative means like WhatsApp and personal phones. The domain controllers, which were essential for the network’s operation, were all compromised, leading to a complete network outage. This, in turn, caused shipping terminals around the world to become backlogged as Maersk had to close terminals and manage shipments manually, resulting in a significant disruption to its operations.
The attack on Maersk occurred due to a sophisticated cyberattack involving the NotPetya ransomware. This malware targeted the company’s outdated Windows systems, which had not been updated with the latest security patches. The attack was particularly effective because it simultaneously hit all 150 domain controllers across Maersk’s global network, causing a complete loss of network connectivity and data.
The NotPetya ransomware utilized leaked NSA exploits, such as EternalBlue and EternalRomance, to gain remote access and control over infected systems. These vulnerabilities were well-known but had not been addressed by Maersk’s outdated systems.
The attack spread rapidly, affecting multiple countries and regions where Maersk operated. This led to significant disruptions in shipping operations and caused substantial financial losses for the company.
It is important to note that this cyberattack underscores the need for companies to prioritize cybersecurity measures, including regular updates and patching of systems, to protect against such threats.
Maersk was attacked due to the inadequacy of the company’s internal cyber security measures, the exploitation of external threats, and the cyber warfare triggered by the situation in Ukraine. NotPetya is a highly sophisticated ransomware that exploits NSA vulnerabilities (such as EternalBlue and EternalRomance) that were originally used for Internet surveillance. The compromised vulnerability allows the attacker to remotely access the infected system and install additional software on the system, stealing data and passwords.
In 2014, after the Ukraine crisis, Maersk, a company that does business in the region, was attacked using MeDoc software, which led to its global network being infected. NotPetya not only encrypts its victims’ data, it also attempts to permanently damage and disable infected systems and networks. This method of attack makes it impossible to recover data even if a ransom is paid, further exacerbating the damage of the attack.
The attack on Maersk happened through a combination of phishing and software supply chain compromise:
1. Phishing Emails: Employees of MeDoc, a Ukrainian financial software company, opened phishing emails containing malware attachments or links to malware servers.
2. Software Supply Chain: The attackers used the compromised MeDoc software to distribute the NotPetya ransomware through a software update pushed to MeDoc customers.
3. Exploitation of Vulnerabilities: The attackers leveraged leaked NSA exploits like EternalBlue and EternalRomance, which targeted vulnerabilities in Microsoft Windows’ file and printer sharing protocols.
4. Network Infiltration: Once inside the network, the malware spread rapidly, encrypting data and rendering systems inoperable.
5. Simultaneous Attack: The attack was timed to coincide with Ukrainian Constitution Day, causing maximum disruption.
This sequence of events allowed the attackers to successfully infiltrate and disrupt Maersk’s operations.
The NotPetya ransomware was hidden in a software update for MeDoc, a Ukrainian financial program used by Maersk for local tax filings, and was introduced into the company’s systems when Maersk employees in Ukraine installed the update, taking advantage of an advanced vulnerability leaked by the U.S. National Security Agency (NSA). Such as EternalBlue and EternalRomance, these vulnerabilities allow attackers to remotely access Maersk’s systems and upgrade permissions without being detected. The ransomware quickly spread to the company’s global infrastructure. It encrypts files and corrupts data, making the system unusable.
1) Initial infection:
Maersk’s branch in Ukraine used infected MEDoc software, through which malicious update packages entered the Maersk network.
After executing NotPetya locally, encrypting the Master Boot Record (MBR) of the hard drive resulted in the system being unable to start and displaying false ransomware messages (data cannot actually be recovered).
2) Horizontal diffusion:
The attack exploited an unrepaired Windows vulnerability (MS17-010) and weak credentials to rapidly infect over 4000 servers and 45000 terminal devices in more than 200 countries worldwide.
Maersk’s Active Directory (AD) domain controller was breached, and attackers pushed malicious loads to all networked devices through the domain controller.
3) Business interruption:
Port operation paralysis: The container management system (TOS) of key hubs such as Rotterdam Port in the Netherlands and Newark Port in the United States has crashed, unable to handle cargo loading and unloading.
Logistics stagnation: Customers are unable to track goods or book shipping space through Maersk Line’s online platforms.
Data loss: Some business data that has not been backed up (such as customer orders) has been permanently encrypted and destroyed.
The NotPetya cyber – attack on Maersk unfolded in a series of stages with far – reaching consequences. It began with the initial infection when MeDoc employees opened phishing emails containing malicious software, giving attackers access to MeDoc’s network. Subsequently, during the dormant propagation phase, attackers stole data and credentials, facilitating lateral movement within the network and potentially targeting other organizations using MeDoc. The malware remained dormant for five days until the eve of Ukrainian Constitution Day, indicating a likely state – sponsored, politically motivated attack.
On June 27, NotPetya was activated. It encrypted files and presented a fake ransomware payment screen. Maersk, an operator in the shipping industry, was severely impacted. Its entire network was shut down, leading to the closure of shipping terminals globally. Manual processes had to be hastily implemented, resulting in significant delays and substantial financial losses. Additionally, data on infected devices that were not backed up, including critical business and personal information, was permanently lost.
The attackers first compromised the Ukrainian financial software MeDoc and then exploited supply chain relationships to spread the malware to multinational companies like Maersk. When Maersk employees used malware – infected computers in their daily work, the malware infiltrated the company’s information systems. Once inside, it rapidly spread through Maersk’s internal network, crashing systems and encrypting data. Since Maersk’s information system is central to its global business operations, the attack had a massive impact, halting cargo ship and port operations, despite the Maersk freighters not being directly physically damaged.
In June 2017, Maersk was hit by the NotPetya ransomware. The attack originated from malicious code implanted in a Ukrainian tax software update. Maersk had many branches and partners worldwide, and its internal network was closely connected to external suppliers. As a result, the virus quickly spread to Maersk’s systems, affecting more than 45,000 computers, 49 data centers, and thousands of applications.
On December 30, 2023, as the MV Maersk Hangzhou sailed through the Red Sea, it was attacked by Houthi missile batteries at around 8:30 p.m. local time. At least one missile hit the ship. The next day, four Houthi skiffs armed with mounted weapons approached the Maersk Hangzhou, fired upon it, and attempted to board the ship. The freighter’s security contractors engaged the Houthi forces, and the U.S. Navy’s helicopters dispatched to the scene sank three of the Houthi craft, causing the fourth to retreat.
Here’s a detailed breakdown of how the attack happened:
1. Initial Infection Vector
Phishing Emails: The NotPetya ransomware was initially spread through phishing emails sent to employees of Ukrainian companies.
2. Exploitation of Vulnerabilities
EternalBlue and EternalRomance: The attackers used leaked NSA exploits, specifically EternalBlue and EternalRomance, which targeted vulnerabilities in Microsoft Windows’ file and printer sharing protocols.
3. Propagation Across Networks
Global Spread: Once the malware infected a company’s network in Ukraine, it quickly spread to other parts of the global network. Maersk, which had operations in Ukraine and used MeDoc, was one of the companies affected.
4. Impact on Maersk
Simultaneous Infection of Domain Controllers: Maersk operated a network of 150 domain controllers, which are critical for network authentication. Unfortunately, all 150 controllers were infected simultaneously, wiping out the entire network infrastructure.
Maersk was attacked because its operations in Ukraine used hacked MeDoc tax software. The NotPetya malware was inserted into the MeDoc system by attackers disguised as a software update, which then used a network vulnerability to quickly spread from Ukraine to Maersk’s global network, resulting in a complete shutdown of its systems.
Maersk’s cargo ships were not directly attacked, but its IT systems suffered a major blow from the NotPetya ransomware. The malware initially spread through the compromised Ukrainian financial software MeDoc. When Maersk employees used infected computers, the malware infiltrated the company’s network.
NotPetya then exploited unpatched Windows vulnerabilities (EternalBlue and EternalRomance) to gain administrative access and spread rapidly across all connected systems. Due to weak network segmentation and outdated security controls, all 150 of Maersk’s domain controllers were wiped out, causing a total shutdown of its global IT infrastructure. This paralyzed cargo operations, halted port activities, and severely disrupted global trade, underscoring the risks of cyberattacks in the digital age.
The NotPetya debacle began when MeDoc employees, lured by phishing emails, unknowingly opened the door for attackers to infiltrate MeDoc’s network. For five days straight, the malicious actors stealthily pilfered data and credentials, lying low and waiting for the opportune moment. That moment came on the eve of Ukrainian Constitution Day, strongly indicating that this was a politically – motivated, state – sponsored cyber – assault.
Then, on June 27, NotPetya unleashed its havoc. It encrypted files and put up a bogus ransom screen. Maersk, a global shipping giant, was hit hard. Its worldwide network crashed, shipping terminals had to shut down, and reverting to manual operations led to substantial delays and financial setbacks. Adding to the misery, infected devices without proper backups lost vital data, dealing Maersk another heavy blow in this cyber – catastrophe.
Maersk was targeted in an attack due to insufficient internal cybersecurity measures, the leveraging of external threats, and cyber warfare spurred by the Ukraine situation, as NotPetya, a highly advanced ransomware exploiting NSA vulnerabilities like EternalBlue and EternalRomance originally for Internet surveillance, enabled attackers to remotely access and install software on infected systems to steal data and passwords, and in 2014 following the Ukraine crisis, Maersk, operating in the region, was hit via the MeDoc software, resulting in its global network being infected, with NotPetya not only encrypting victims’ data but also attempting to cause permanent damage and disable systems and networks, making data recovery impossible even with ransom payment and thus intensifying the attack’s detrimental impact.
A. Initial Infection: MeDoc users in Ukraine opened phishing emails or links containing malware, which exploited EternalBlue to infiltrate systems.
B. Supply Chain Spread: Attackers compromised MeDoc’s update mechanism, distributing NotPetya as a fake update on June 22, 2017.
C. Global Propagation: The malware used EternalBlue to spread rapidly across networks, encrypting files and rendering systems inoperable. Maersk’s interconnected global network and outdated systems enabled the attack to cripple operations worldwide.
D. Destruction: NotPetya erased data and disabled recovery, mimicking ransomware but offering no decryption keys. Maersk’s reliance on centralized domain controllers meant losing all network access, requiring a herculean effort to rebuild infrastructure manually.
In fact, Maersk itself, as a cargo ship, was not directly hit by the cyber attack, but the information system of its operator, Maersk Group, was hit by a ransomware attack called NotPetya.
(1) Initial infection
The NotPetya ransomware spreads through tainted software updates from third-party vendors. When Maersk’s system downloaded and installed the update, it became infected with the malware. In today’s highly developed information technology, enterprises rely on many third-party software and services, software update is an important means to maintain the normal operation of the system and improve security. However, this dependence also brings risks. If a third-party vendor’s update channel is compromised by an attacker, the company unknowingly installs the update, which opens the door for malware to invade.
(2) The domain controller is compromised
The malware quickly spread through Maersk’s network and eventually compromised the domain controller. As the central authentication and access control point of network, domain controller is compromised, which has very serious consequences. It is like the command center of a country, once occupied by the enemy, the operation of the whole country will be thrown into chaos. In the Maersk network environment, the domain controller controls user authentication and resource access. When it is controlled by malicious software, users in the network cannot log in to the system normally and access key business resources, resulting in the company’s various services cannot be carried out, and the entire information system is paralyzed. This series of incidents not only brought huge economic losses to Maersk, but also sounded the alarm for the supply chain of the global shipping industry, highlighting the urgency and importance of strengthening network security protection, especially to prevent supply chain attacks.
The Maersk cyberattack occurred due to:
1. Exploiting system vulnerabilities**: Attackers targeted vulnerabilities in Maersk’s outdated Windows systems lacking security updates.
2. Compromised software**: The attack began with phishing emails to MeDoc employees, containing malware attachments or links.
3. Software supply chain attack**: Malware was hidden in a MeDoc software update, infiltrating systems of companies using MeDoc, including Maersk.
4. Network spread**: After infecting one system, the malware spread quickly due to outdated systems and lack of backups.
5. Domain controller attack**: The malware targeted and simultaneously infected all of Maersk’s domain controllers, risking the entire network.
6. Inadequate response**: The delayed emergency response allowed the malware to spread further before the network was shut down.
The Maersk attack occurred on June 27, 2017, when the company was hit by the NotPetya ransomware. Here is how the attack unfolded:
1. Initial Attack Vector: The malware was initially spread through a compromised software update from MeDoc, a Ukrainian tax and accounting software. MeDoc was used by many companies in Ukraine for tax filing, including Maersk. This allowed the malware to spread via the trusted software update mechanism.
2. Exploitation of Vulnerabilities: Once inside Maersk’s network, the NotPetya ransomware exploited known vulnerabilities in older software systems, particularly Microsoft Windows systems, that had not been updated with critical security patches. These vulnerabilities were primarily due to the use of outdated operating systems like Windows 2000 and Windows XP.
3. Propagation of the Malware: NotPetya used tools like EternalBlue (a leaked NSA exploit) to move laterally within Maersk’s network. The malware spread rapidly across Maersk’s global IT infrastructure, infecting domain controllers, PCs, and servers. It disrupted critical communication systems, including email and phone systems.
4. Malware’s Impact: The ransomware caused the systems to crash, encrypting files and rendering them inaccessible. It also wiped the master boot records of infected computers, making recovery impossible unless backups were available. The attack disrupted Maersk’s entire global supply chain, affecting ports, terminals, and shipping operations.
5. Manual Intervention: With the IT systems down, Maersk had to resort to manual processes to manage shipments and communicate with customers. The company’s global network was down for over two hours, and recovery took weeks, requiring the installation of new servers, PCs, and applications.
The attack, attributed to a sophisticated state-sponsored group (likely linked to Russia), caused significant disruption, with Maersk incurring millions in losses due to halted operations, recovery efforts, and compensation to customers.
NotPetya Attack Timeline and Impact on Maersk
Initial Infection: The attack began when MeDoc employees unknowingly opened phishing emails containing malicious software, granting attackers access to MeDoc’s network.
Dormant Spread and Lateral Movement: Once inside, the attackers stole data and credentials, allowing them to move laterally within the network and potentially compromise other organizations using MeDoc. NotPetya remained inactive for five days, only launching on the eve of Ukrainian Constitution Day, suggesting political motives likely tied to Russian state-sponsored actors.
Attack Activation and Propagation: On June 27, NotPetya was triggered, encrypting files and displaying a fraudulent ransom message, though its true intent was data destruction rather than financial extortion.
Impact on Maersk: The attack completely disrupted Maersk’s global network, shutting down shipping terminals and forcing the company to rely on manual operations, causing severe delays and financial losses. Additionally, systems that lacked proper backups suffered permanent data loss, affecting critical business records and personal information.
The Maersk attack happened through the following sequence of events:
1.Initial Infection: The NotPetya malware initially infected Ukrainian systems through a compromised software update of MeDoc, a financial software used by many Ukrainian companies. Maersk’s local operations in Ukraine were also using this software.
2.Spread through Networks: Once the malware infected Maersk’s local systems in Ukraine, it quickly spread across the company’s global network. The malware exploited vulnerabilities in Microsoft Windows systems, such as EternalBlue and EternalRomance, which allowed it to gain access and propagate rapidly.
3.Simultaneous Compromise: Maersk’s network architecture included 150 domain controllers that managed access to the entire IT infrastructure. The malware simultaneously infected all these controllers, effectively wiping out the entire network structure.
4.Global Impact: As a result, Maersk’s entire global IT system went offline, causing operations to grind to a halt. The company had to resort to manual processes and emergency recovery efforts to restore its systems.
1.NotPetya malware disguised as a regular update to the MeDoc software, a Ukrainian software used for taxation and accounting.
2. An employee unknowingly installs an update that contains malicious code.
3. The malware exploited the EternalBlue and EternalRomance vulnerabilities (leaked NSA tools) to spread throughout Maersk’s IT infrastructure.
4. All domain controllers are purged, effectively erasing the entire network authentication system.
5. Shipping operations collapsed, forcing Maersk to switch to manual processes (pen and paper) to keep part of the operation.
6. The company found an uninfected backup in Ghana, which helped restore its system after an intense recovery operation.
7. The attack cost Maersk about $300 million, including IT equipment replacement and loss of business.