urban-7123220__480.jpeg

The Russian cyber attack that devastated Ukrainian businesses in 2017

IMG_9464 a_edited.jpg

Kevin McCaffrey

Co-Founder & Executive Advisor

linkedin.png

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.

On the 27th of June 2017, one of history’s most disruptive cyber attacks infiltrated and attacked networks across Europe. Many multinational companies, including the global shipping firm A.P. Møller–Mærsk, suffered immediate and disastrous effects with over 45,000 laptops and desktop computers, as well as 4,000 servers rendered unusable. Starting in Ukraine, this malware, known as NotPetya, rapidly spread across Europe and the globe. 

 

NotPetya ransomware was one of the most prominent in history due to its scale, primarily affecting websites of not only Ukrainian organizations–including banks, ministries, newspapers and electricity firms–but also targeting companies in France, Germany, Italy, Poland, Russia, United Kingdom, United States and Australia.

 

This article takes a case study approach, looking at the NotPetya infection on the shipping company A.P. Møller – Mærsk, and evaluating the attack methodology, intent, timeline, and result of the security response.

The Cyber Kill Chain

The Cyber Kill Chain (CKC) is a framework developed by Lockheed Martin that uses seven steps to enhance visibility into an attack and aid an analyst’s understanding of an adversary’s tactics and techniques, and procedures. CKC is part of the  Intelligence Driven Defense model for identification and prevention of cyber intrusions activity. The seven-steps in the CKC are reconnaissance, weaponization, delivery, exploitation, installation, command, and control (C2), and actions on objective. 

THE-CYBER-KILL-CHAIN-body.png.pc-adaptive.1920.png

How did NotPetya attack Mærsk?

The NotPetya attack took advantage of an exploit in Microsoft Windows dubbed Eternal Blue, and packaged itself in popular Ukrainian accounting software, MeDoc, to simulate a ransomware attack. After exploitation, NotPetya’s malicious payload encrypted the victim’s computers and displayed a screen demanding payment to a bitcoin wallet. 

 

Unbeknownst to the victim, however, NotPetya was not genuine ransomware, as there was no ransom group with whom to communicate and no way to recover encrypted files, NotPetya was instead a clandestine attempt at misdirection and misattribution to criminal groups in a nation-state cyber warfare campaign. It is widely believed that NotPetya resulted from escalating tensions between Russia and Ukraine and was part of a Russian cyber offensive operation to infiltrate and disrupt Ukrainian targets.  

 

What was the cost of the NotPetya ransomware attack?

Similar to the Stuxnet virus of 2010, this landmark case was marked the first ever nation-state cyber-attack exposed in public that caused massive collateral damage to multinational victims. 

 

In the end, the NotPetya attack is estimated to have cost over USD 300 million in losses due to reduced productivity and lost opportunities, as well as the cost of restoring and installing systems after the attack.  

 

The actual cost of NotPetya is unknown as it also served as a wake-up call to the industry causing many companies to reevaluate their risk posture, increasing investments in cybersecurity expertise, technology, and processes. 

How did Mærsk respond to the NotPetya ransomware attack?

As Mærsk shipping was one of the largest and most affected companies, it has become a case study for how companies respond to such a rapid and widespread attack. In Maersk’s own “post-mortem” timeline, they broke down their response into the following phases: 

 

Initial Discovery

Mærsk observed that a ransomware variant was propagating amongst company networks. They unsuccessfully attempted to contain the spread, eventually resorting to physically unplugging computers and servers. 

 

Days 1-3

Mærsk issued statements regarding the situation, both internally and externally. Mærsk engaged Deloitte to assist with cyber forensics to reverse engineer the virus to understand how it worked. Understanding the malware, Mærsk designed a new Windows build–based on Windows 10–that was less vulnerable to NotPetya. Mærsk then strengthened security systems to reduce vulnerability to attack. Finally, Mærsk retrieved an undamaged copy of Active Directory to aid in rebuilding efforts.

 

Days 4-9

Mærsk began the recovery process, building over 2000 laptops and restoring the Active Directory. Maersk also restored core business processes and systems at the time.

 

Days 9+

It took Mærsk over a month to fully restore all applications and laptops.

 

In terms of the CKC, most of what Mærsk was able to effect occurred after the delivery and exploitation phases. Also, as this malware spreads rapidly, the phases tend to blend rather than happen in predictable and sequential phasing. As this attack was collateral damage from a nation-state attack, the reconnaissance and weaponization phase was not targeting Mærsk. Instead, these preparatory phases were focused against strategic Ukrainian targets and the MeDoc software. 

 

How did the NotPetya ransomware spread?

The delivery phase of this attack occurred through a trusted network in the Mærsk partner ecosystem, spreading quickly to connected Mærsk systems. In the case of NotPetya, exploitation utilized pass-the-hash and Eternal Blue vulnerabilities to gain administrator access, and–once given–installation was automated and scaled laterally across the network. There was no active command and control as the code was built to destroy systems, not to control or exploit them. Actions on objective masqueraded the malware as a ransomware encryptor, but was actually more of a wiper, as it deleted and destroyed every system it touched.

firefighters-6689112_1280.jpg

In terms of response, by the time Mærsk realized they were under attack, it was already too late. The exploit, at that time, was known, but not widely patched. 

 

The attack instead demonstrated major weaknesses and vulnerabilities in the global cyber security vendor/supply chain, and the speed at which an attack can cripple a business. 

 

Since then, the global community has taken great steps to remediate the specific Eternal Blue vulnerability and the threat of collateral damage from a nation-state attack is better understood. However, companies are vulnerable to similar attacks and other risk management and risk transfer measures must be found. 

 

The best way to do this is to contact a professional incident response team before the attack even happens. Falling victim to ransomware can be both stressful and emotional. An experienced IR company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing PR, negotiating with the attackers, and ensuring safety and legality throughout. 

 

Blackpanda is Asia’s Premier Digital Forensics and Incident Response provider, and we support our clients by conducting regular compromise assessments to check for active threats in the network, managing security configurations, preparing tabletop exercises and incident response plans to boost employee awareness, and responding to incidents promptly with Special Forces Expertise. 

 

To learn more about our ransomware preparation services, or to report a breach, contact Blackpanda.

References:

Andy Greenberg (August 22, 2018). The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired Online, retrieved from https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

Maarten van Hees (October, 2021). The 2017 MAERSK Cyber Incident Learning from and applying the Lessons of a Major Cyber Incident, Maersk, retrieved from https://fhi.nl/app/uploads/sites/75/2020/10/201029-FHI_Maersk.pdf

Carla Liedtke (2021). Cyber Case Study, Swiss Re Corporate Solutions: The Journal, retrieved from http://journal.strategicrisk-asiapacific.com/businessinterruption/chapter-3-cyber-case-study/

Interested in speaking to a DFIR specialist? 

Additional Resources