Brigida Soriano - Fotolia

NotPetya attack cost up to $300m, says Maersk

Danish shipping line Maersk estimates that the NotPetya cyber attack in June cost the company up to $300m

Transport and shipping giant A.P. Moller–Maersk is one of many companies counting the cost of a destructive cyber attack in the second quarter of 2017.

The NotPetya attack appears to have targeted mainly organisations in Ukraine, including the central bank, the Ukrenego electricity supplier, the Chernobyl nuclear power plant, airport and metro services throughout the Ukraine.

The malware was distributed through a Ukrainian accounting software called MeDoc, used for filing tax returns in Ukraine. The MeDoc software contained backdoors into the networks of users of the software, which were used by the malware to enter via the software’s automatic update system.

However, companies outside the Ukraine were also impacted, including UK advertising firm WPP, US-based pharmaceutical company Merck, multinational law firm DLA Piper, Russian oil company Rosneft, Netherlands-based shipping company TNT and French construction materials company Saint-Gobain.

Of these companies, Maersk is believed to be one of the hardest hit, with a number of IT systems forced to shut down across multiple sites and selected business units, with email systems also impacted.

The attack also caused congestion at some of the 76 ports run by Maersk’s port operator arm, APM Terminals, including ports in Denmark, India, Spain, the US and Netherlands.

The financial impact of the attack is estimated at $200m to $300m, according to the company’s interim financial report for the second quarter of 2017.

Read more about software exploits

The biggest impact, however, is expected to be felt in the third quarter, the company said, because of the resulting lost revenue in July. The vast majority of the impact of the cyber-attack was in the container shipment arm Maersk Line, the company said.

Despite the cyber attack and the fact that second quarter results were below analysts’ expectations, the company said it still expects its full year profits to be above those in 2016 due to favourable conditions in the container shipping industry, mainly due to a rise in freight rates.

Detailing the cyber attack and its response, the company said that as soon as it became aware that systems had been affected, response action was initiated, including closing down infected networks.

The malware was contained to impact only the container-related businesses of A.P. Moller–Maersk, and therefore six out of nine businesses, including all energy businesses, could continue normal operations.

The company also said it remained in full control of all vessels throughout the situation, and all employees were safe.

Significant business interruption

For Maersk Line, however, APM Terminals and Damco freight forwarding and supply chain management systems had to be shut down for a period for precautionary measures, which resulted in significant business interruption, the company said.

While the businesses were significantly affected by this cyber attack, the company said no data breach or data loss to third parties had occurred.

According to financial report, the attack was contained quickly, enabling the technical recovery plan to begin within a day and resulting in the restoration of booking services within two days for existing customers.

A.P. Moller–Maersk gradually progressed to more normalised operations for Maersk Line, Damco and APM Terminals during the week of 3 July to 9 July, the company said.

To reinstate services safely and without further disruption, the company began to systematically bring back users and applications in 500 locations.

“Information security has a high business priority at A.P. Moller–Maersk. This cyber attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and antivirus were not an effective protectionin this case,” the financial report said.

NotPetya was characterised by its use of two NSA-developed exploits – EternalBlue and EternalRomance – that were leaked by the Shadow Brokers hacking group. According to security researchers, these and other exploits leaked by the hacking group are a real game changer in malware creation, particularly exploits of Microsoft’s server message block (SMB) protocol.

Further protective measures

In response to this new type of malware, A.P. Moller–Maersk has put in place different and further protective measures, and is continuing to review its systems to defend against attacks.

“We have done a lot to harden our defences and we will do more. We will increase our ability to isolate hacker incidents and rebuild [systems] faster,” Soren Skou, Maersk’s chief executive told the Financial Times.

“One of the key learnings was how much customers – and authorities and suppliers – helped us,” he said. “Many customers took the view: “this could have been us”. This is a global problem. We businesses need to help each other here.”

Skou said the company is not complacent and is well aware there might be a recurrence of the attacks, according to the Copenhagen Post.

“We will definitely be targeted again and we will probably also be successfully hacked again, with all the vulnerabilities inherent in systems that can be found in the darker recesses of the internet,” he said.

Read more on Hackers and cybercrime prevention