[BreachExchange] Maersk Reinstalled 45, 000 PCs and 4, 000 Servers to Recover From NotPetya Attack

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 25 19:00:54 EST 2018


The world's largest container shipping company —A.P. Møller-Maersk— said it
recovered from the NotPetya ransomware incident by reinstalling over 4,000
servers, 45,000 PCs, and 2500 applications over the course of ten days in
late June and early July 2017.

By all accounts, this is a monumental effort from Maersk's IT staff,
equivalent to installing a new infrastructure from the ground up.

The effort is even more jaw-dropping when we take into consideration that
Maersk is the world's largest shipping companies, hauling over a fifth of
the world's ship containers.

Maersk CEO: "We had to reinstall an entire infrastructure"

These new details came to light yesterday, while Jim Hagemann Snabe,
Chairman of A.P. Møller-Maersk, participated in a panel on securing the
future of cyberspace at the World Economic Forum held in Davos, Switzerland.

The incident Snabe was referencing is the NotPetya ransomware outbreak that
hit companies around the world.

"I'll never forget, It was the 27 of June when I was woken up at 4 o'clock
in the morning. A call came from the office that we had suffered a
cyberattack," Snabe said.

"The impact of that is that we basically found that we had to reinstall an
entire infrastructure," Snabe continued. "We had to install 4,000 new
servers, 45,000 new PCs, 2,500 applications."

"And that was done in a heroic effort over ten days. Normally —I come from
the IT industry— I would say it's gonna take six months. It took ten days,"
Snabe added, referring to his previous position as SAP's CEO.

Maersk covered 80% of all shipping volume without any IT

The consequences were felt almost immediately in Maersk's operations, but
Snabe says his company's employees faced the storm bravely, with minimal
impact on the firm's activity.

"Imagine a company where a ship with 20,000 containers would enter a port
every 15 minutes, and for ten days you have no IT.

"It's almost impossible to even imagine. And we actually overcome that
problem with human resilience," Stabe said. "We only had a 20% drop in
volume, so we managed 80% of that volume manually. [...] Customers were
great contributors to overcoming that."

Maersk: We were collateral damage of probably a state attack

In hindsight, Snabe says he feels that his company was just "collateral
damage of probably a state attack."

The NotPetya ransomware initially spread as a malicious update of M.E.Doc,
a popular Ukrainian accounting software. Many non-Ukrainian companies were
also infected because NotPetya spread to internal networks via VPN. The
ransomware infected a company's offices in different countries after it
initially infected Ukrainian headquarters.

Snabe's remarks regarding NotPetya being a state attack come after many
cyber-security companies attributed to NotPetya ransomware to a
cyber-espionage group named TeleBots that many suspect is the cyber-arm of
a Russian intelligence agency.

Ukrainian officials didn't mince words or time blaming NotPetya on Russia,
and recently, even the CIA officially blamed the Russian military's GRU
GTsST, or Main Center for Special Technology, as the source of the NotPetya
ransomware, in a classified report seen by Washington Post reporters.

Maersk: NotPetya damage between $250 and $300 million

Snabe also said his company estimated the damages caused by NotPetya to
between $250 and $300 million. This is also the damages tag that both US
pharmaceutics giant Merck and US-based international courier service FedEx
also put on the NotPetya aftermath.

Maersk was lucky to fully recover in ten days after the incident. A month
after NotPetya hit some of its factories, Merck was still not producing
some types of bulk products used for products such as KEYTRUDA, JANUVIA,
and ZEPATIER, critical drugs for various illnesses.

FedEx was also unlucky, revealing that some of the NotPetya damage was
permanent, and admitting that its TNT subsidiary might have lost some
customer package details for good.

Maersk CEO now sees the good side of the incident

"It was an important wake-up call," he said. "We were basically average
when it comes to cyber-security, like many companies. And this was a
wake-up call to become not just good —we actually have a plan to come in a
situation where our ability to manage cyber-security becomes a competitive

In the subsequent discussions, Snabe also urged fellow Davos World Economic
Forum participants to focus on securing cyberspace.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180125/bed5cb42/attachment.html>

More information about the BreachExchange mailing list