“I saw a wave of screens turning black. Black, black, black...”
Wired magazine recently published a chilling account of the NotPetya cyber-attack and the fallout for Maersk, the world’s largest shipping conglomerate.
In the spring of 2017, Russian military hackers hijacked a company’s update servers to allow them a hidden back door into the thousands of PCs around Ukraine and the world that have an accounting programme called M.E.Doc installed (which is more or less Ukraine’s equivalent of TurboTax or Quicken. It’s used by nearly anyone who files taxes or does business in the country). Then, in June 2017, the saboteurs used that back door to release a piece of malware called NotPetya, their most vicious cyberweapon yet.
NotPetya took its name from its resemblance to the ransomware Petya, a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. But NotPetya’s ransom messages were only a ruse. The malware’s goal was purely destructive. It irreversibly encrypted computers’ master boot records, the deep-seated part of a machine that tells it where to find its own operating system. Any ransom payment that victims tried to make was futile. No key even existed to reorder the scrambled noise of their computer’s contents.
The result was more than $10 billion in total damages, according to a White House assessment confirmed to WIRED by former Homeland Security adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-focused official.
“While there was no loss of life, it was the equivalent of using a nuclear bomb to achieve a small tactical victory,” Bossert says. “That’s a degree of recklessness we can’t tolerate on the world stage.”
Bossert and US intelligence agencies also confirmed in February that Russia’s military, the prime suspect in any cyberwar attack targeting Ukraine was responsible for launching the malicious code. The Russian foreign ministry declined to answer repeated requests for comment.
There are some striking conclusions that can be made:
Five months after Maersk had recovered from its NotPetya attack, Maersk chair Jim Hagemann Snabe sat onstage at the World Economic Forum meeting in Davos, Switzerland, and lauded the “heroic effort” that went into the company’s IT rescue operation. From June 27, when he was first awakened by a 4 am phone call in California, ahead of a planned appearance at a Stanford conference, he said, it took just 10 days for the company to rebuild its entire network of 4,000 servers and 45,000 PCs. (Full recovery had taken far longer. Some staffers at the Maidenhead operation continued to work day and night for close to two months to rebuild Maersk’s software setup.
“We overcame the problem with human resilience,” Snabe told the crowd.
- The cyber security tasks you set aside or don’t have budget for, are the ones that bite you back when the attack comes.
“Do you remember we were about to implement new security controls?” Well, too late.”
Maersk security staffers tell WIRED that some of the corporation’s servers were, up until the attack, still running Windows 2000—an outdated operating system which Microsoft no longer supported it. In 2016, one group of IT executives had pushed for a pre-emptive security redesign of Maersk’s entire global network. They called attention to Maersk’s less-than-perfect software patching, outdated operating systems, and above all insufficient network segmentation. That last vulnerability in particular, they warned, could allow malware with access to one part of the network to spread wildly beyond its initial foothold, exactly as NotPetya would the next year.
The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.
- If you think you have time to react, and resources can be used as normal, you are in a big trouble. Your scenario planning is flawed.
Disconnecting Maersk’s entire global network took the company’s IT staff more than two panicky hours. By the end of that process, every employee had been ordered to turn off their computer and leave it at their desk. The digital phones at every cubicle, too, had been rendered useless in the emergency network shutdown.
Domain controllers are the servers that function as a detailed map of Maersk’s network and set the basic rules that determine which users are allowed access to which systems. Maersk’s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously. “If we can’t recover our domain controllers,” a Maersk IT staffer remembers thinking, “we can’t recover anything.”
- The cost of an attack could be exponentially higher than you estimated.
Few firms have paid more dearly for dragging their feet on security. In his Davos talk, Snabe claimed that the company suffered only a 20 percent reduction in total shipping volume during its NotPetya outage, thanks to its quick efforts and manual workarounds. But aside from the company’s lost business and downtime, as well as the cost of rebuilding an entire network, Maersk also reimbursed many of its customers for the expense of rerouting or storing their marooned cargo. One Maersk customer described receiving a seven-figure check from the company to cover the cost of sending his cargo via last-minute chartered jet. “They paid me a cool million with no more than a two-minute discussion,” he says. All told, Snabe estimated in his Davos comments, NotPetya cost Maersk between $250 million and $300 million. Most of the staffers WIRED spoke with privately suspected the company’s accountants had low-balled the figure.
And, of course, Maersk was only one victim. Merck, whose ability to manufacture some drugs was temporarily shut down by NotPetya, told shareholders it lost a staggering $870 million due to the malware. FedEx, whose European subsidiary TNT Express was crippled in the attack and required months to recover some data, took a $400 million blow. French construction giant Saint-Gobain lost around the same amount. Reckitt Benckiser, the British manufacturer of Durex condoms, lost $129 million, and Mondelēz, the owner of chocolate-maker Cadbury, took a $188 million hit. Untold numbers of victims without public shareholders counted their losses in secret.
- Cyberwar is here, these are only the opening shots.
Almost everyone who has studied NotPetya, however, agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security is too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm. Russia, meanwhile, hardly seems to have been chastened by the US government’s sanctions for NotPetya, which arrived a full eight months after the worm hit and whose punishments were muddled with other messages chastising Russia for everything from 2016 election disinformation to hacker probes of the US power grid. “The lack of a proper response has been almost an invitation to escalate more,” says Thomas Rid, a political science professor at Johns Hopkins’ School of Advanced International Studies.
But the most enduring object lesson of NotPetya may simply be the strange, extradimensional landscape of cyberwar’s battlefield. This is the confounding geography of cyberwarfare. In ways that still defy human intuition, phantoms inside M.E.Doc’s server room in a gritty corner of Kiev spread chaos into the gilded conference rooms of the capital’s federal agencies, into ports dotting the globe, into the stately headquarters of Maersk on the Copenhagen harbor, and across the global economy. “Somehow the vulnerability of this Ukrainian accounting software affects the US national security supply of vaccines and global shipping?” asks Joshua Corman, a cybersecurity fellow at the Atlantic Council, as if still puzzling out the shape of the wormhole that made that cause-and-effect possible. “The physics of cyberspace are wholly different from every other war domain.”
In those physics, NotPetya reminds us, distance is no defense. Every barbarian is already at every gate. And the network of entanglements in that ether, which have unified and elevated the world for the past 25 years, can, over a few hours on a summer day, bring it to a crashing halt. The malware clearly demonstrated the importance of restricting admin privileges rather than handing them out to users who do not need them. The malware searched infected systems for common admin tools which it could then take over. The attack also highlighted the need for firms to look at other forms of security like endpoint monitoring, network zoning and security intelligence platforms. But the lesson for any organization is that the threat from ransomware is real and is getting ever more sophisticated. Attacks no longer rely on users clicking on email attachments or downloading dodgy software from the internet. We also know that the bad guys now have a stockpile of vulnerabilities which they will likely use to power new attacks.
Security experts say that organizations with well drilled response plans can hugely reduce the damage and downtime caused by successful attacks. Make sure systems are responsive enough to effectively run what will be a very fast-moving situation. But your systems should also provide a record of exactly how the incident unravels. This will allow you to further improve defenses and your response to the next incident. Making sure you have both the systems, processes and people in place to deal with the inevitable attack will make a big difference to the damage the hackers can do. Think Security. Think Ahead.