Table of Contents
Introduction
The Maersk cyberattack of 2017 was caused by the NotPetya ransomware, which originally targeted Ukraine through compromised accounting software (M.E.Doc). A Maersk office in Odessa installed the malicious update, infecting its systems. The malware spread rapidly across Maersk’s global network, shutting down computers, phones, and entry systems. Within hours, the world’s largest shipping company — operating 76 ports and 800 vessels, handling nearly 20% of global trade — was forced to halt operations.
Although Maersk was not the intended target, it became one of the biggest victims of NotPetya, suffering massive financial and operational losses.
A Quiet Afternoon Turns Chaotic
This set off a panic in Maersk headquarters; entry systems and phone networks had been rendered useless by the apparent malware spreading rapidly throughout the company’s network and beyond. By the end of the day, their networks had been so deeply corrupted that the company simply shut down. This was no small feat, however; Maersk is a global shipping titan, responsible for 76 ports around the globe, more than 800 vessels carrying all manner of goods, and about one-fifth of global trade. This entire enterprise was brought to its knees by a mysterious malware that had spread to every Maersk location across the globe, and Maersk wasn’t even the target.
The NotPetya Attack and Ukraine
The NotPetya Attack and Ukraine Since 2012, Ukraine and Russia have been slugging it out in an undeclared war that served as a proving ground for Russia’s cyberwarfare tactics. A group of Russian hackers called Sandworm had thoroughly compromised the Ukrainian government and dozens of Ukrainian companies. The attackers were firmly entrenched in the networks and systems of the most vital and critical infrastructure in the country. Among the atrocities perpetrated at the behest of the Russian government, Sandworm installed malware in the power grid, which was periodically activated to do the most damage and demoralize the populace. A perfect example of this was shutting down the grid in the middle of winter. Massive amounts of data were destroyed outright in a series of malicious attacks on Ukrainian businesses, particularly banks.
Sandworm and Russia’s Cyberwarfare
That June, Sandworm released a particularly vicious cyberweapon called NotPetya, which spread rapidly and automatically. The code was indiscriminate in whom it attacked; it was designed to do the largest amount of damage as quickly as possible and with the widest swath of destruction. The ransomware spread so quickly and effectively that once the message popped up on a screen, the damage was already extensive and complete.
The back door Sandworm exploited had existed for several weeks in Linkos’ servers prior to activation of the attack. Linkos denied they were the perpetrators of the attack, complaining that they were also victims. In July 2017, Ukraine’s cybercrime unit seized servers from Intellect Services, the company that produces the M.E.Doc software.
Analysis of the servers showed that they had not been updated for at least four years, and security patches were nonexistent. There was evidence of Russian presence in the servers, and several employees’ accounts had been compromised. Intellect Services subsequently closed the back doors into the software, and state prosecutors promised the company would be held to account for the vast damage caused by their lax security procedures.
Maersk Shutdown
It turns out one single infection was responsible for the Maersk compromise. M.E.Doc had been installed on a company computer in Odessa, a Ukrainian port city on the Black Sea. This was all NotPetya needed to infect the entire system. Across the globe, port facilities shut down, and tens of thousands of truckloads of goods were turned away. Maersk’s entire booking system went down, as well as the complex loading systems used to systematically load container ships to avoid capsizing them.
Maersk was dead in the water An incident response team was assembled, and an emergency recovery center was put together in Great Britain to mitigate and recover from the NotPetya attack. This was a global effort and required hundreds of staffers working 24/7 to rebuild the network. All computer equipment was confiscated, and new computers were obtained and then distributed to recovery personnel. Staff began rebuilding servers from the ground up. However, this effort came to a grinding halt when it was realized that there was no clean backup of the company’s domain controllers.
A domain controller is a server that responds to requests for user authentication and verification. Domain controllers check usernames and passwords, or other access credentials, to allow or deny user access to network resources. Without a working domain controller, the network is a collection of disparate servers and data that can only be accessed locally. Maersk had about 150 domain controllers throughout its global system that would have ordinarily been able to sync with one another and, thereby, become a backup for a compromised or damaged server. This is an effective and decentralized backup strategy that would have allowed for quick recovery from a localized event; however, no one had visualized a scenario where all the company’s domain controllers were wiped out in a massive attack. If the domain controllers couldn’t be recovered, it was unlikely anything could.
A Billion-Dollar Disruption to Global Trade
NotPetya’s Wake: Maersk’s $300M Cyber-Nightmare When it was all over, Maersk estimated that NotPetya had cost the company between $250 million and $300 million, though many believe this number was on the low side. Costs down the line were also significant; trucking companies lost tens of millions of dollars, TNT Express lost about $400 million, and Merck lost a staggering $870 million. The disruption to the global supply chain, of which Maersk is a major component, was extensive, and losses accumulated into the billions.
The Maersk incident was an expensive and significant wake-up call. It pointed to the need for education and diligence in promoting and practicing cyber hygiene and instituting robust cyber defenses. NotPetya was a glimpse into what cyberwarfare could be. Without preparedness on every level, no one is safe from the sort of damage this malware caused.
Maersk’s Painful Data Recovery
The recovery team began bringing up Maersk’s core services, concentrating on port services. Key to this was the ability to read a ship’s inventory — each ship has 18,000 containers — and determine what was where and where it was bound for. The booking system came back online sometime later, but it would be at least two weeks before port facilities began operating normally again. After that, the recovery team began issuing clean laptops and computers to staff members. Everything the employees had loaded on their machines was gone; the hard drives were wiped, and new, clean copies of Windows were installed.
What can we learn from this attack?
1. Always Be Ready
In cybersecurity, everything comes down to risk mitigation. Having processes and technologies in place doesn’t guarantee full protection from every threat. Attacks can still happen — and often do. What matters most is preparation: being ready to respond quickly and recover effectively. The faster your recovery, the less damage your business will suffer.
2. Don’t Overlook the Basics
At one of the world’s largest cybersecurity conferences, a keynote session on “emerging threats” surprised many by focusing not on AI or quantum computing, but on something far simpler: software patches. Years after critical Microsoft vulnerabilities were exposed — and exploited by NotPetya and WannaCry — many organizations still haven’t patched their systems. Neglecting such fundamentals leaves companies of all sizes dangerously exposed.
3. Cyberattacks Can Hit Anyone
Maersk wasn’t targeted because it was a global giant. It was hit because it had an unpatched vulnerability and was connected to an infected system. The truth is, attackers don’t discriminate. Large corporations and small businesses alike are equally vulnerable if their defenses aren’t solid.
Cybersecurity and the protection of sensitive data aren’t just IT concerns — they’re business-wide responsibilities.
The most effective way to prepare for the reality of cyberattacks is by fostering a culture of resilience across the entire organization.
Start strengthening your defenses today with our guide to building a cyber-resilient culture.
