Tales from the SOC side Vol.3

The NotPetya story continues...

Dark tales from the SOC Vol.3

The "NotPetya" Edition, Part 2.



As the early morning dawns and our analysts slowly emerge from a night of dark, scary surveillance and remediation, we return to the story of the most destructive Ransomware to date, the NotPetya Ransomware worm.

The continued excerpt was taken from the book "Sandworm", which was written by a fellow dungeon keeper and a WIRED senior writer, Andy Greenberg.


In part 1 of the NotPetya story, we introduced you to how NotPetya began to spread and how Ukraine was targeted.

The continued story of NotPetya isn’t only about Maersk, or even about Ukraine. It’s the story of a nation-state’s weapon of war released in a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic: Where an attack aimed at Ukraine strikes Maersk, and an attack on Maersk strikes everywhere at once.

Oleksii Yasinsky expected a calm Tuesday at the office. It was the day before Ukraine’s Constitution Day, a national holiday, and most of his coworkers were either planning their vacations or already taking them. But not Yasinsky. For the past year, he’d been the head of the cyber lab at Information Systems Security Partners (ISSP), a company that was quickly becoming the go-to firm for victims of Ukraine’s cyberwar. That job description didn’t lend itself to downtime. Since the first blows of Russia’s cyber attacks hit in late 2015, in fact, he’d allowed himself a grand total of one week off.
So Yasinsky was unperturbed when he received a call that morning from ISSP’s director telling him that Oschadbank, the second-largest bank in Ukraine, was under attack. The bank had told ISSP that it was facing a ransomware infection, an increasingly common crisis for companies around the world targeted by profit-focused cybercriminals. But when Yasinsky walked into Oschadbank’s IT department at its central Kiev office half an hour later, he could tell this was something new. “The staff were lost, confused, in a state of shock,” Yasinsky says. Around 90 percent of the bank’s thousands of computers were locked, showing NotPetya’s “repairing disk” messages and ransom screens. 
After a quick examination of the bank’s surviving logs, Yasinsky could see that the attack was an automated worm that had somehow obtained an administrator’s credentials and that had allowed it to rampage through the bank’s network like a prison inmate who has stolen the warden’s keys. 
As he analyzed the bank’s breach back in ISSP’s office, Yasinsky started receiving calls and messages from people around Ukraine, telling him of similar instances in other companies and government agencies. One told him that another victim had attempted to pay the ransom. As Yasinsky suspected, the payment had no effect. This was no ordinary ransomware. “There was no silver bullet for this, no antidote,” he says.
ISSP’s security operations centre, which monitored the networks of clients in real time, warned that NotPetya was saturating victims’ systems with terrifying speed. It took 45 seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub, where ISSP had installed its equipment as a demonstration, was fully infected in 16 seconds. Ukrenergo, the energy company whose network ISSP had been helping to rebuild after the 2016 blackout cyberattack, had also been struck yet again. 
On a national scale, NotPetya was eating Ukraine’s computers alive. It would hit at least four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency. “The government was dead,” summarizes Ukrainian minister of infrastructure Volodymyr Omelyan. According to ISSP, at least 300 companies were hit, and one senior Ukrainian government official estimated that 10 percent of all computers in the country were wiped. The attack even shut down the computers used by scientists at the Chernobyl cleanup site, 60 miles north of Kiev. “It was a massive bombing of all our systems,” Omelyan says. Across the country, Ukrainians were asking themselves whether they had enough money for groceries and gas to last through the blitz, whether they would receive their paychecks and pensions, whether their prescriptions would be filled. By that night, as the outside world was still debating whether NotPetya was criminal ransom­ware or a weapon of state-sponsored cyberwar, ISSP’s staff had already started referring to it as a new kind of phenomenon: a “massive, coordinated cyber invasion.”

Amid that epidemic, one single infection would become particularly fateful for Maersk: In an office in Odessa, a port city on Ukraine’s Black Sea coast, a finance executive for Maersk’s Ukraine operation had asked IT administrators to install the accounting software M.E.Doc on a single computer. That gave NotPetya the only foothold it needed. 

The shipping terminal in Elizabeth, New Jersey, one of the 76 that make up the port-operations division of Maersk known as APM Terminals, sprawls out into Newark Bay on a man-made peninsula covering a full square mile. Tens of thousands of stacked, perfectly modular shipping containers cover its vast asphalt landscape, and 200-foot-high blue cranes loom over the bay. From the top floors of lower Manhattan’s skyscrapers, five miles away, they look like brachiosaurs gathered at a Jurassic-era watering hole.
On a good day, about 3,000 trucks arrive at the terminal, each assigned to pick up or drop off tens of thousands of pounds of everything from diapers to avocados to tractor parts. They start that process, much like airline passengers, by checking in at the terminal’s gate, where scanners automatically read their container’s barcodes and a Maersk gate clerk talks to the truck driver via a speaker system. The driver receives a printed pass that tells them where to park so that a massive yard crane can haul their container from the truck’s chassis to a stack in the cargo yard, where it’s loaded onto a container ship and floated across an ocean—or that entire process in reverse order.
The gate at the Elizabeth terminal, a choke point to Maersk’s entire New Jersey terminal operation, was dead. The gate clerks had gone silent.

A Terminal staffer recalls "Soon, hundreds of 18-wheelers were backed up in a line that stretched for miles outside the terminal." One employee at another company’s nearby terminal at the same New Jersey port watched the trucks collect, bumper to bumper, farther than he could see. He’d seen gate systems go down for stretches of 15 minutes or half an hour before.

But after a few hours with no word from Maersk, the Port Authority put out an alert that the company's Elizabeth terminal would be closed for the rest of the day. Police then began to approach the drivers in their cabs, telling them to turn their massive loads around and clear out.

Odoo image and text block
The same scene was playing out at 17 of Maersk’s 76 terminals, from Los Angeles to Algeciras, Spain, to Rotterdam in the Netherlands, to Mumbai. Gates were down. Cranes were frozen. Tens of thousands of trucks would be turned away from comatose terminals across the globe.
For days to come, one of the world’s most complex and interconnected distributed machines, underpinning the circulatory system of the global economy itself, would remain broken.

The estimated cost of the NotPetya worm to Maersk was around $300,000,000.

The estimated cost of NotPetya


Merck (Pharmaceutical)


Saint-Gobain (Construction)


Reckitt Benckiser (Manufacturer)


Stay tuned for the final instalment of the NotPetya story.