Tales from the Dark Side (SOC side) vol.4

That was NotPetya

Tales from the SOC Side Vol. 4

The NotPetya Story Concludes.


Our "NotPetya" story begins


Our "NotPetya" story continues


As our SOC dwellers slowly rise from the crypt for the last time in 2018...

We thought it would be a great time to conclude the NotPetya story.

Unfortunately, the story didn't end on a high for most of the main actors in the story as our fellow crypt dweller and WIRED senior writer, Andy Greenberg writes in his book "Sandworm".

If you are only joining the story now, go back and read Our "NotPetya" story begins" and Our "NotPetya" story continues, in the links above.

Several days after his screen had gone dark...

Henrik Jansen (which we met in the first installment) was at his home in Copenhagen, enjoying a brunch of poached eggs, toast and marmalade. Since he'd walked out of the office the Tuesday before, he hadn't heard a word from any of his superiors, then his phone rang.

When he answered, he found himself on a conference call with three Maersk staffers. He was needed, they said, at Maersk’s office in Maidenhead, England, a town west of London where the conglomerate’s IT overlords, Maersk Group Infrastructure Services, were based. They told him to drop everything and go there. Immediately.

Two hours later, Jensen was on a plane to London, then in a car to an eight-story glass-and-brick building in central Maidenhead. When he arrived, he found that the fourth and fifth floors of the building had been converted into a 24/7 emergency operations centre. Its singular purpose: to rebuild Maersk’s global network in the wake of its NotPetya meltdown.

Some Maersk staffers had been in the recovery centre since Tuesday when NotPetya first struck. Some had been sleeping in the office, under their desks or in corners of conference rooms. Staffers were subsisting on snacks that someone had piled up in the office kitchen after a trip to the nearby Sainsbury's grocery store.

Early in the recovery operation, the IT staffers rebuilding Maersk's network came to a sickening realisation. They had located backups of almost all of Maersk's individual servers, dating from between three and seven days prior to NotPetya's onset. But no one could find one crucial layer of the company's network: it's active directory. 

Maersk’s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously. “If we can’t recover our domain controllers,” a Maersk IT staffer remembers thinking, “we can’t recover anything.”

After a frantic global search, the admins finally found one lone surviving domain controller in a remote office in Ghana. At some point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the server remained disconnected from the network. It thus contained the singular known copy of the company's active directory.

Odoo text and image block

With a rescue operation completed...

The Maidenhead office could begin bringing Maersk's core services back online. After the first days, Maersk's port operations had regained the ability to read the ships' inventory files, so operators were no longer blind to the contents of the hulking. Several days would pass before Maersk started taking orders through Maerskline.com for new shipments.

About two weeks after the attack, Maersk’s network had finally reached a point where the company could begin reissuing personal computers to the majority of staff. Back at the Copenhagen headquarters, a cafeteria in the basement of the building was turned into a reinstallation assembly line. Computers were lined up 20 at a time on dining tables as help desk staff walked down the rows, inserting USB drives they’d copied by the dozens, clicking through prompts for hours.
A few days after his return from Maidenhead, Henrik Jensen found his laptop in an alphabetized pile of hundreds, its hard drive wiped, a clean image of Windows installed. Everything that he and every other Maersk employee had stored locally on their machines, from notes to contacts to family photos, was gone.

Maersk security staffers told WIRED that some of the corporation’s servers were, up until the attack, still running Windows 2000—an operating system so old, Microsoft no longer supported it. In 2016, one group of IT executives had pushed for a preemptive security redesign of Maersk’s entire global network. They called attention to Maersk’s less-than-perfect software patching, outdated operating systems, and above all insufficient network segmentation. That last vulnerability, in particular, they warned, could allow malware with access to one part of the network to spread wildly beyond its initial foothold, exactly as NotPetya would the next year. The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They never carried the security makeover forward.

Few firms have paid more dearly for dragging their feet on security.

Odoo image and text block

Even now, more than a year after the attack...

Cybersecurity experts still argue over the mysteries of NotPetya. What were the hackers’ true intentions? The Kiev staff of security firm ISSP, including Oleh Derevianko and Oleksii Yasinsky, maintain that the attack was intended not merely for destruction but as a cleanup effort. After all, the hackers who launched it first had months of unfettered access to victims’ networks. On top of the panic and disruption it caused, NotPetya may have also wiped away evidence of espionage or even reconnaissance for future sabotage.

While many in the security community still see NotPetya’s international victims as collateral damage, Cisco’s Craig Williams argues that Russia knew full well the extent of the pain the worm would inflict internationally. That fallout, he argues, was meant to explicitly punish anyone who would dare even to maintain an office inside the borders of Russia’s enemy. “Anyone who thinks this was accidental is engaged in wishful thinking,” Williams says. “This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you."

Almost everyone who has studied NotPetya, however, agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm. Russia, meanwhile, hardly seems to have been chastened by the US government’s sanctions for NotPetya, which arrived a full eight months after the worm hit and whose punishments were muddled with other messages chastising Russia for everything from 2016 election disinformation to hacker probes of the US power grid. “The lack of a proper response has been almost an invitation to escalate more,” says Thomas Rid, a political science professor at Johns Hopkins’ School of Advanced International Studies.

In the end, NotPetya reminds us, distance is no defence. Every barbarian is already at every gate. And the network of entanglements in that ether, which have unified and elevated the world for the past 25 years, can, over a few hours on a summer day, be brought to a crashing halt.

Happy New Year from our security team.


Visit us