A.P. Moller-Maersk — NotPetya collateral damage

What happened

On 27 June 2017, at approximately 10:30 in the morning Kyiv time, a software update pushed through M.E.Doc — the accounting and tax-filing application used by nearly every business operating in Ukraine — delivered NotPetya to machines that ran the update. Within minutes the malware was propagating across corporate networks using two techniques: the NSA-developed EternalBlue SMB exploit, leaked by Shadow Brokers six weeks earlier, and Mimikatz-derived credential extraction that allowed it to authenticate across networks using harvested Windows credentials. The combination gave it near-universal spread across any domain-connected Windows environment it reached.

A.P. Moller-Maersk’s Ukrainian subsidiary had M.E.Doc installed. From that single office, NotPetya crossed Maersk’s global corporate network. Within approximately one hour, the malware had destroyed or encrypted systems across every region where Maersk operated. When the damage inventory was completed, the count stood at roughly 4,000 servers and 45,000 personal computers destroyed — the equivalent of wiping a medium-sized country’s entire corporate IT estate.

The operational impact was immediate and global. Maersk’s port terminal management system, APM Terminals, went dark at 76 terminals in 59 countries. Ship scheduling systems, berth allocation, container tracking, and customs documentation — all the software that keeps container shipping flowing — were unavailable. Ships already at sea could not be cleared for berth. Containers queued at ports with no record of what was inside or where it was supposed to go. Maersk’s own estimate of the financial cost was $200-300 million. Some analysts estimated the broader supply-chain disruption across global trade at over $10 billion.

NotPetya also struck pharmaceutical manufacturer Merck ($870 million in losses), logistics firm FedEx/TNT ($400 million), construction company Saint-Gobain ($384 million), and many others. The UK government formally attributed the attack to Russian military intelligence — GRU Unit 74455, also known as Sandworm — in February 2018. A US DOJ indictment in 2020 named six GRU officers in connection with NotPetya and related attacks.

How it worked

NotPetya was delivered through a trojanised software update to M.E.Doc, the tax-filing application mandated by the Ukrainian government for business tax compliance. M.E.Doc had an auto-update mechanism, and the attackers — assessed to be Sandworm — had compromised the M.E.Doc vendor’s update infrastructure in advance and inserted the malware payload into a legitimate-looking update package. When businesses across Ukraine applied the routine update on the morning of 27 June, they ran the malware themselves.

The malware combined a fake ransomware wrapper — displaying a payment demand screen designed to mimic the WannaCry ransomware from weeks earlier — with a destructive payload that overwrote the master boot record of infected machines, rendering them unbootable regardless of any payment. Importantly, the decryption key mechanism was non-functional by design. This was not ransomware with a recoverable outcome; it was a wiper built to look like ransomware to slow the initial response.

Propagation inside corporate networks used two mechanisms in combination. EternalBlue, the SMB vulnerability patched by Microsoft in MS17-010 two months earlier, allowed the malware to spread to any unpatched machine reachable on the network without requiring credentials. Mimikatz-derived credential harvesting extracted Windows account credentials stored in memory on already-infected machines and used them to authenticate to reachable machines via Windows Management Instrumentation and PSEXEC. The combination meant that even patched machines could be compromised if they shared a network with an infected host holding valid credentials.

Maersk’s recovery was made possible by a single accident of timing. NotPetya required a live connection to the domain to harvest credentials and propagate. A power outage at Maersk’s office in Tema, Ghana, had left a single domain controller offline at the moment of global infection — it was physically powered down and therefore never received the malware. That machine contained a full replica of Maersk’s Active Directory, which is the identity backbone of any Windows enterprise. Engineers flew to Ghana, physically couriered the domain controller to the UK, and used it as the foundation to rebuild Maersk’s entire global directory infrastructure over ten days.

Timeline

• Months before June 2017 — Sandworm operators compromise the update infrastructure of M.E.Doc, the Ukrainian tax-filing software.
• 27 June 2017, ~10:30 Kyiv time — Trojanised M.E.Doc update delivers NotPetya to machines across Ukraine. Malware begins propagating via EternalBlue and credential harvesting.
• Within ~1 hour — NotPetya reaches Maersk’s global IT estate through Ukrainian subsidiary. 4,000 servers and 45,000 PCs destroyed.
• 27 June, afternoon — All 76 APM Terminals ports go dark. Ships cannot be cleared; container tracking lost globally.
• Late June – early July 2017 — Hundreds of Maersk IT engineers assembled globally for emergency recovery operation; domain controller flown from Ghana to UK.
• 10 days later — Maersk’s core IT infrastructure rebuilt. Full operational recovery across the terminal network follows over weeks.
• February 2018 — UK, US, Australian and Canadian governments formally attribute NotPetya to Russian GRU.
• October 2020 — US DOJ indicts six GRU Unit 74455 officers in connection with NotPetya and related destructive campaigns.

What defenders should learn

The most immediate lesson from NotPetya is about patch velocity. EternalBlue was patched by Microsoft in March 2017 — three months before NotPetya. The vulnerability was publicly known; the patch was available. Maersk, like thousands of other organisations, had not applied it universally. In the context of a worm-propagating malware, a single unpatched machine on a connected network is effectively a gap in the entire estate’s defences. Organisations should treat critical-severity SMB and RPC patches as emergency deployments rather than fitting them into normal patch cycles.

The software supply chain vector — malware delivered through a trusted vendor’s update mechanism — remains one of the hardest problems in enterprise security. Businesses operating in Ukraine had a regulatory requirement to use M.E.Doc and a legitimate business reason to apply its updates promptly. There was no obviously suspicious act involved in the initial infection. Supply-chain compromise of update mechanisms is a category of attack that has appeared repeatedly since NotPetya (SolarWinds, 3CX, and others), and the defensive response requires treating third-party software update processes as an attack surface that warrants monitoring and, where possible, staging and testing before enterprise-wide deployment.

The Ghana domain controller story is a lesson about the value of offline backups and recovery dependencies that most organisations still have not absorbed. Maersk’s entire global enterprise could be rebuilt because one machine survived in an offline state. If that machine had been powered on, the company might have faced months of reconstruction rather than ten days. Organisations should explicitly design their backup and recovery architecture with the assumption that the production network is entirely compromised: backups must be offline or otherwise air-gapped, and recovery procedures must be tested against the scenario in which the domain itself needs to be rebuilt from scratch.

Finally, NotPetya is the definitive case for why “we’re not the target” is not a safe position. Maersk had no involvement in Russian-Ukrainian geopolitics. Its only connection to the attack vector was one subsidiary’s use of tax software required by Ukrainian law. Collateral damage from nation-state operations does not require the victim to be the intended target. Any organisation with any footprint in a country that is a geopolitical flashpoint — through subsidiaries, suppliers, tax obligations, or shared infrastructure — should model the scenario in which they become collateral damage in a state-sponsored destructive campaign.