Last year was a bad time for data security, but a great time for digital criminals. In the midst of the thousands of hacks, leaks, exploits and phishing attempts, a group of Russian military hackers unleashed a virulent worm that would cause untold disruption and cost companies around the world billions in lost revenues and repair costs.
While nobody has claimed responsibility for the NotPetya virus, it has been traced back to a group of Russian military hackers who were trying to wreak havoc in the Ukraine – and send a warning to companies that dare to do business with Russia's enemy.
The virus originated in the Ukraine, after Russian hackers gained access to the servers of Linkos Group, a company that produces a popular accounting program called MeDoc. Having gained access, the hacking group, known as Sandworm, was able to infect the MeDoc update server, which then allowed them access to the thousands of PCs around the world that have MeDoc installed.
NotPetya spread rapidly. It relied on two exploits working in partnership to sidestep defences, infect computers and spread to the next host. Eternal Blue, a tool created by the US National Security Agency, but stolen during a breach earlier in the year, was combined with Mimikatz, a script created by a French researcher to demonstrate that Windows was leaving users' passwords in memory. Using these two exploits, the virus could leapfrog from machine to machine in a matter of hours.
Maersk goes dark
On 27 June, computer screens at Maersk headquarters began to go black. Some displayed messages asking for a ransom to be paid in bitcoin; others simply stated that the machine was being repaired, and should not be turned off. Whatever the message, the machine was frozen and unusable.
Maersk, a global shipping company, was completely stricken by the virus: so many computers were infected, so rapidly, that the company was unable to take new orders or manage their vast shipping fleet. Even the IT security team was unable to work. Servers, computers, routers and desk phones were all brought down by the virus.
Around the world, 17 of Maersk's 76 freight terminals were disrupted by the virus. Without computers, nobody could do anything. Freight could not be received, loaded or despatched. The contents of containers was unknown and new bookings could not be taken. Ports in Los Angeles, Rotterdam and Mumbai were reduced to parking garages. It was a catastrophic failure of shipping IT – and the costs are estimated to be astronomical.
Billions in lost earnings
Ultimately, NotPetya would cause an estimated $10 billion in damage, crippling multinational companies including TNT Express, Mondelez, Reckitt Benckiser, Rosneft and Merck.
At Maersk, recovering from the attack involved a frantic effort to restore core machines and then gradually wipe and restore individual machines. In just 10 days the company managed to rebuild its network of 4,000 servers and 45,000 PCs – though a complete recovery took many months.
While NotPetya was a fiendishly clever virus, it did rely on Maersk (and other victims) having unpatched machines – something that could have been avoided. Maersk has since changed its approach to digital security and is investing widely in security systems and processes. Employees report that requests for spending on digital security are being approved without delay; a contrast to their prior reticence to invest in digital protection.
Why do so many companies have to learn digital security lessons the hard way?
Find out more about Cyber Security eLearning.