The Day Computer Screens Went Blank in Copenhagen
It was a normal working day in the headquarters of the famous shipping company A. P. Moller-Maersk in Copenhagen, Denmark. They are the world’s largest shipping conglomerate with 574 offices across 130 countries. Who could imagine that June 27, 2017 would turn out to be the most fateful day in history ever since computers, networks and Internet became the way of life for companies and industries across the Western world?
Disaster struck suddenly in the afternoon and then it was chaos all over the huge office. Bewildered Maersk employees began to gather at the help desk, most of them with their laptops in hand. The screens of all the laptops displayed alarming messages in ominous red and black, some stating “Repairing file system on C:” with a warning against shutting down the computer. Others threateningly stated, “Oops, your important files are encrypted”, demanding a ransom of $300 in bitcoin for decryption.
Most people thought that they could get around the unexpected problem by restarting the computers. However, to their utter frustration, the computers were either irretrievably locked, or if they restarted at all, the screen came back with the same messages. Following standard protocol, the IT personnel powered down the machines and disconnected them from the network. But, they could not do anything more. Maersk, the maritime behemoth, boasting a fleet of some 800 massive cargo ships and operating in 374 ports over the world, accounting for one-fifth of the world’s shipping capacity, found itself suddenly immobilized and helpless.
Chaos in Maersk’s Port Facilities across the World
The shipping terminal located in Elizabeth, New Jersey, USA is one of the 76 facilities that comprised Maersk’s port-operations division, known as APM Terminals. This terminal’s a square mile expanse was covered with tens of thousands of neatly stacked shipping containers, while towering cranes loading or unloading them. On a typical day, some 3,000 trucks visited the terminal, to pick up or to deliver loads.
At approximately 9 a.m. New Jersey time on June 27, the phone of the freight forwarder at the terminal began to ring incessantly with calls from agitated cargo owners. They had just received complaints from truck drivers that their vehicles were not able to gain entry into the terminal. The gate had become completely dysfunctional as the barcode scanners could not allow the trucks. Long lines of loaded trucks started mounting. Before long, hundreds of 18-wheeler trucks were lined up in a queue that extended for miles outside the terminal.
With most of the cargo delivery being time-bound, Maersk’s clients grew anxious. They were left with limited and unsavoury choices. They could try to transfer their valuable cargo to other vessels at steep, last-minute rates. Or, if their cargo was essential to a tight supply chain, such as factory components, they could send them by costly air freight delivery. In manufacturing operations, even a single day of inactivity could result in losses amounting to millions of dollars.
The same scenario unfolded at 17 of Maersk’s 76 terminals, from Los Angeles to Algeciras, Spain, to Rotterdam in the Netherlands, and Mumbai. Gates were dysfunctional; cranes were immobilized; and tens of thousands of trucks were turned away from dysfunctional terminals globally. To the utter horror of the terminal employees, there was no update, no communication from the company. No one at the company HQ was even answering calls. The main booking platform, Maerskline.com, was also not functioning and no new bookings could be processed.
Also Read: Enter the World of Cyber Warfare
Interestingly, while the computers on Maersk’s ships remained unaffected, the terminals’ computers, which received Electronic Data Interchange files from those ships detailing the exact contents of their extensive cargo-holds, were found to have been completely erased. That left Maersk’s ports without a framework to manage the intricate task of loading and unloading their towering stacks of containers. In the days that followed one of the most intricate and interconnected systems of Maersk remained paralyzed. The writing on the wall was clear: they were victims of a very sophisticated cyber attack.
The Desperate Salvage Operation by Maersk
The company’s IT hub, Maersk Group Infrastructure Services, was located at Maidenhead, England, a town located west of London. Maersk’s IT experts from their offices all over the world were asked to converge there immediately and it was turned into a 24/7 emergency operations centre under the management of the consultancy firm Deloitte. Some 400 of Maersk IT experts and 200 of Deloitte started racking their brains to restore Maersk’s network. All computer equipment used by Maersk prior to the attack was seized to prevent potential contamination of the new laptops that they bought in Maidenhead.
Then they made a disturbing discovery. They had successfully located backups for nearly all of Maersk’s individual servers. However, they were unable to find a backup for a critical component of the company’s network: the domain controllers, which served as a comprehensive map of Maersk’s network and established the fundamental rules governing user access to various systems.
Maersk had approximately 150 domain controllers designed to synchronize their data with each other, allowing any one of them to serve as a backup for the others. However, this decentralized backup approach had failed to anticipate a critical scenario: the simultaneous failure of all domain controllers. They frantically contacted hundreds of their IT administrators across the world but the domain controllers had failed everywhere. At last, they found a single ‘unaffected’ domain controller in a remote office in Ghana. That discovery was absolutely providential. As their luck would have it, the sheer backwardness of the location had come to their rescue. Before the attack, a power outage, being a common occurrence in that part of the world, had caused the machine to go offline, leaving it disconnected from the network. Apparently, the outage lasted much more than the capacity of UPS systems. As a result, it held the only remaining copy of the company’s domain controller data that had not been compromised by the cyber attack. Someone was hurriedly sent by plane to Ghana to get the data in a hard drive.
Restoration operations could start only after that. Within the next few days, port operations regained the capability to access the inventory files of incoming ships. However, it took several days more before Maersk could start processing new shipment orders through Maerskline.com, and then about a week more before terminals globally began to operate with any semblance of normalcy. The complete recovery of the company’s entire network of 4,000 servers and 45,000 PCs took much longer, even as employees at the Maidenhead facility worked tirelessly for nearly two months. The company’s chairman, Jim Hagemann Snabe admitted that it was quite an expensive wake-up call.
The Storm Had Actually Started With a Cyber Invasion of Ukraine
Since 2015-16, a Russian hacker group known as Sandworm had infiltrated numerous Ukrainian government entities and businesses. Their attacks had targeted a wide range of organizations, from media companies to railway operators. Amongst other things, they deployed logic bombs that obliterated vast amounts of data. During the winters of those years, they had culminated their campaigns by triggering extensive power outages—in fact, those were the first documented instances of blackouts caused by hackers. We will read about these attacks later in the book.
In Ukraine, an accounting software M.E.Doc (or MeDoc) made by a small software company called Linkos Group was widely used by individuals and businesses for filing their tax returns. Sandworm by itself or with help from Russian military hackers succeeded in compromising the company’s update servers. This effectively created a ‘covert backdoor’ into the thousands of computers that utilized M.E.Doc, enabling the hackers to secretly access and control the compromised computers.
Enter NotPetya and the World Changed Forever
In June 2017, Russian hackers exploited that particular ‘covert backdoor’ to implant a malicious software that came to be known as NotPetya, their most destructive cyber weapon to date. The rest, as they say, is history.
There is a cybersecurity firm called ISSP (Information Systems Security Partners) in Ukraine. The firm was much in demand in the wake of the on-going cyber conflict with Russia. When they were told that Oschadbank, Ukraine’s second-largest bank, was ‘under siege’ they thought some cybercriminals had mounted a ransomware attack. Upon reaching the bank’s HQ, they found that about 90% of the bank’s thousands of computers were locked, displaying NotPetya’s “repairing disk” messages and ransom demands.
Even as they were investigating the breach, they began receiving calls and messages from other people across Ukraine, reporting similar incidents in other organizations and government bodies. One person told that another victim had actually tried to pay the ransom. However, the payment did not make any difference, thereby confirming that it was not a typical cybercrime or ransomware attack. The attackers were not ordinary cyber criminals and they were not interested in money. It was obviously something much bigger.
NotPetya was rapidly overwhelming systems after systems. It took just 45 seconds to incapacitate a large Ukrainian bank’s network. A segment of a significant Ukrainian transit hub became went down in merely 16 seconds. Ukrenergo, the energy firm that ISSP had been assisting in rebuilding after the 2016 blackout cyber attack, was hit this time also. NotPetya impacted at least 300 companies, four hospitals in Kiev, six power companies, two airports, over 22 banks, ATMs, and card payment systems in retail and transportation, as well as nearly every federal agency. Thousands of motorists across the country found that they could not pay for petrol as the petrol pumps’ credit card processing system had also fallen victim to NotPetya. “The government was incapacitated”, admitted Volodymyr Omelyan, Ukraine’s minister of infrastructure.
In the midst of this crisis in Ukraine, there took place one particular infection that would, fortuitously for the attackers, go on to unleash the real destructive potential of NotPetya and show the world what cyber warfare could really do. In an office in Odessa, a port city along Ukraine’s Black Sea coast, a finance executive for Maersk’s operations in Ukraine requested that IT administrators install the accounting software M.E.Doc on a computer. This action provided NotPetya with the critical entry point it needed to strike the really Big Boys of the Western industrial world, first Maersk and then others.
The Terrible Losses and Damage NotPetya Inflicted
Officially, chairman Snabe estimated that the NotPetya incident had cost Maersk between $250 million and $300 million. However, many employees interviewed by magazines like WIRED privately admitted that the company’s accountants had deliberately underestimated the actual costs so as to downplay the enormity of the attack and the helplessness of the company before it. Obviously, a $26.34 billion company would not have liked to become the laughing stock of the world that some nerds sitting in some freezing corner of Russia could hammer them so brutally with nothing but a laptop!
Maersk was not the only company hit by NotPetya. Merck, the pharmaceutical giant, suffered a staggering loss of $870 million due to the temporary shutdown of some drug manufacturing units. FedEx, the American multinational specializing in transportation, e-commerce, and business services, suffered a loss of $400 million as its European subsidiary, TNT Express, was severely impacted by the attack, requiring months to recover data. The French construction giant, Saint-Gobain incurred losses to the tune of $384 million. Reckitt Benckiser, a producer of health, hygiene and nutrition products, reported a loss of $129 million, while Mondelez, the parent company of Cadbury, suffered a loss of $188 million. Numerous other victims kept their losses confidential. As summed up by former Homeland Security adviser Tom Bossert, who was the top cybersecurity official under President Trump during the incident, the total loss worldwide was about $10 billion.
World’s First Brush with the Real Power of Cyber warfare
NotPetya was a thundering demonstration of what cyber warfare could do. NotPetya demonstrated the frightening reality of a nation-state deploying a cyber weapon in a realm where borders have no meaning, resulting in collateral damage that followed an unpredictable path. In the end, an assault intended for Ukraine impacted a shipping giant Maersk and other great MNCs, and an attack on them, in turn, reverberated globally.
Just marvel at the sheer beauty of the whole operation. Not a single shot was fired; all it involved was the mere pressing of a key and so much disruption around the world followed. A covert backdoor created in a simple accounting software, a worm inserted remotely and the disruptions originating from a server in a rundown area of Kiev brought down giant companies of the world to their knees, left some of the finest cybersecurity experts of the world running helter-skelter, and sent ripples through the global economy.
And who did it? Just some young nerds with a laptop—exactly as ‘Q’ had predicted in the Bond film ‘Skyfall’!
Was It a Test Run?
Bossert, along with US intelligence agencies, squarely blamed the Russian military for it. The Russians understandably refused to respond to the allegations. Cyber experts from Cisco Systems, Inc., an American multinational digital communications technology conglomerate, maintain that the Russian military or other state actors (probably working alongside private hackers) were fully (or at least significantly) aware of the extensive harm the worm would cause worldwide. I am inclined to agree with this. Those who developed it, by their sheer professional brilliance, must have had a reasonable idea of what it could do. However, there is no way of learning the real and overall disruptive potential of a cyber warfare agent other than actually releasing it on real targets. Hence, this must indeed have been a test run of one of their most potent cyber weapons. No simulation can give you an accurate idea of what it could actually do under real-life conditions. After all, which designers of the malware could have foreseen that the domain controller data of Maersk would survive in a single computer of the backwaters of Ghana because it happened to be offline at that moment due to a power outage, and which would eventually help Maersk to recover? Having learnt that, may be next time they would seek to remedy such shortcomings.
The Ukrainian cybersecurity firm ISSP maintains that the attack, besides disruption, also served as a means of clean-up. The hackers had previously enjoyed months of unrestricted access to the networks of their victims and had been snooping on them, stealing sensitive data. They had to ensure that, even later, the victims could never know what they had lost and how they had lost that so as to preclude them from preparing to defend against potential future attacks. NotPetya therefore also eradicated traces of espionage or reconnaissance. This is quite plausible.
