Return to Security and Privacy

NotPetya and Maersk: An Object Lesson

I don’t know how many people have noticed, but in my opinion we are in a state of war with Russia right now, only the weapons are code instead of missiles and bullets. A good example of this is the NotPetya malware which hit various networks in June of 2017. It initially looked like a variant of the Petya ransomware, but it quickly developed that this was a masquerade. It was never intended to collect ransoms, but instead was designed purely to be malicious. The initial target was in Ukraine, which is in a somewhat hotter state of war with Russia, but it quickly spread to a number of networks in Western Europe and the U.S. But this is not really an article about the malware itself, it is about the Danish shipping company Maersk.

Mearsk is a critical part of the infrastructure of the western economy. It handles containerized shipping around the world, delivering parts to manufacturers and finished goods to markets. And in today’s manufacturing environment “just-in-time” manufacturing relies on parts and raw materials being delivered each day where they are needed. Companies no longer maintain any significant level of inventories of either, so the daily shipments are required to keep the machines in operation and the workers employed. And to manage this companies like Maersk rely on large computer networks to keep everything moving smoothly. So it just stands to reason they would treat their network like the crown jewels, right? Well, not so much.

In fact, there were significant problems that had gone unaddressed that were about bite Maersk in the butt. And this makes it a good object lesson in light of our previous article NIST Cybersecurity Framework. That may have seemed a bit dry, so let’s look at this case study to put some flesh on those dry bones. Maersk suffered days of downtime that affected their operations in 76 ports all over the world, and the 800 vessels (giant container ships) they operated. The losses they officially acknowledged came to $300 million, but that is probably a deliberately low estimate. And this does not count the losses inflicted on other participants, such as the ports, trucking companies, customers, etc. And Maersk was not the one to suffer the largest losses. The pharmaceutical company Merck came in with an estimate of $870 million, and the White House estimated the total for losses at $10 billion.

But we are here to look at what Maersk did to get in so much trouble. First, it is worth noting that the IT department had been pushing for security improvements, but implementing them was not a priority for Maersk management. As the saying goes, you don’t miss your water til the well runs dry. What was the IT department pointing out?

  • Maersk was still running very old servers, some of which were running Windows 2000. But by 2017 that old operating system was not longer supported, and Microsoft was not issuing any security updates. Of course, part of the problem was no doubt that a newer operating system would also require newer hardware. But it should be a matter of course to plan on updates to both hardware and software on a regular schedule to keep up-to-date. A good IT organization will plan to regularly test patches and new operating systems as they are released. This should include regression testing and testing all currently installed hardware and software. If an incompatibility is surfaced, the appropriate response is not to maintain the old hardware or software, but to plan on finding replacements or getting the vendor to update and support the new environment. This costs money, of course, but probably a lot less than this malware cost.
  • Network segmentation was lacking. In a large network you do not want any intruder to have full run of the whole network. This is also what happened to Sony when the North Koreans got into its network. The way you do this properly is to segment your network so that systems that truly need to interact are on a network segment that does not easily communicate with other segments. At the very least, you need to have password protection with separate passwords for each segment. Even better would be to incorporate multi-factor authentication. Both were missing at Maersk.
  • Backup problems existed here as well. A good rule is the 3-2-1 rule. You want 3 different copies of the backup, in at least 2 different media, and at least 1 offsite. And of course the offsite one needs to be off the network completely. The reason is that any malware that gets on your network will attack any system connected to the network. For example, ransomware will look for any attached backup system and encrypt all of that data as well. In the case of Maersk, they had made all of their domain controllers connect to each other so that they would always be in sync, which is good enough as long as you keep in mind the other copies, which they did not have. Maersk got lucky here, since one server out of the approximately 150 , in Ghana, somehow escaped destruction. They were able to fly the hard drive back their IT headquarters to rebuild the network. And how had the Ghana server survived? Dumb luck. A power failure in Ghana had knocked it offline, and it was disconnected from the rest of the network while NotPetya was busy destroying everything.
  • Lack of urgency: the IT department was well aware of the potential problems, and had communicated their concerns to management. And they obtained general agreement that these problems should be addressed. But addressing these problems was never part of what is termed a “key performance indicator” for anyone in management, including IT management. This is an ongoing problem in many organizations since IT is often seen as only a cost, and not as a competitive advantage. And yet for Maersk literally their entire business relied on excellent IT implementation.

Well, there was a television advertisement some years ago in the U.S. for an auto maintenance service with the punchline “You can pay me now, or you can pay me later.” Maersk did suddenly make those IT improvements a top priority, but only after a large loss and and disruption to their business relationships. This is a hard way to learn the lesson. And maybe the biggest lesson is that executives have to be held responsible for this stuff. As the NIST Framework says, “There is a formal, organization-wide approach to managing cybersecurity risk, and senior management monitors this just as they monitor financial risks and other organizational risks. ”