Cyber Crime
 | 6 min read

The Maersk cyber attack - How malware can hit companies of all sizes

By  Hilary Walton,
 26 October 2020

Maersk Cyber Attack

Chances are you’ve seen a shipping container with “Maersk” emblazoned along the side at least once before.

In fact, most people probably have when you consider that Maersk is the largest shipping container company on the planet. It’s estimated that one of its giant ships, which carry up to 20,000 containers, arrives in a port somewhere around the world every 15 minutes.

So what happens when those major global operations are shut down by a cyber attack? 

Wired called it “the most devastating cyber attack in history”

In this blog, we’ll look at what exactly happened, how severe the impact was for Maersk and some simple learnings that Kiwi businesses can take from this major attack. 

  • The malware that caused it
  • What happened and how severe was it?
  • How Maersk is helping others be better prepared
  • What can we learn from this attack?

The malware that caused it

Before we look at what happened to Maersk, we need to look at the cause of the attack.

In 2016, there was a known vulnerability in Microsoft systems called EternalBlue. While Microsoft released a patch for the vulnerability soon after it was discovered, not all organisations had updated their systems or they were running older systems that were past their end-of-life.

This was quickly exploited by the WannaCry ransomware cryptoworm which locked users out of their system and encrypted data until a ransom was paid. More than 200,000 computers across 150 countries were affected, as well as billions of dollars in damages. The attack was halted soon after it happened but a new strain of ransomware, known as ‘NotPetya’, began exploiting that same Microsoft vulnerability where patches weren’t installed. And this is where Maersk enters the fray.

Read more about NotPetya in our previous blog here.

 

What happened and how severe was it?

In the case of the attack on Maersk’s systems, it’s important to know that they weren’t attacked because they were a large global company.

Instead, they happened to be interfacing with a company that was the original target and Maersk’s systems became infected by default because they weren’t patched against the known vulnerability.

Following the initial breach, Maersk quickly realised the malware was spreading throughout their entire global network and the decision was promptly made to shut all their systems down.

For three days, all the tracking operations and the logistics associated with those were offline and this inevitably caused major shipping delays. All up, there were almost 50,000 infected endpoints and thousands of applications and servers across 600 sites in 130 countries were affected.

Maersk moved quickly to rebuild their entire IT infrastructure and managed to do it in 10 days. But by then they had suffered losses in excess of $300 million, on top of the reputational damage caused by the high profile media coverage reporting on the attack.

 

How Maersk is helping others be better prepared

In the years since the attack, Maersk has been very open about sharing their story to help other companies avoid a similar experience.

Maersk’s head of cybersecurity compliance, Lewis Woodcock, recently gave a keynote session all about how the attack affected them and what they’ve now introduced following the incident.

Woodcock said that protecting their critical systems is the key priority, but it’s also essential to have an effective data recovery plan.

A significant part of this, he says, is the ability to truly understand what’s involved in the core business processes.

"From there, you can really understand how to protect and secure and also recover – crucially in that order. This really requires more of a balance between the preventative measures and also your recovery measures."

"Companies which have this real focus between these two and investment will have better standing against future threats,"

 

What can we learn from this attack?

1. Always be prepared

Anything you do in the security space is about risk mitigation. Just because you’ve got processes and technologies in place, that doesn’t mean you’re now protected against every threat.

There's always the risk that you're going to be the victim of an attack so you should be well prepared for it and ready to recover if one happens. The faster you can recover, the smaller the impact will be on your business.

2. Do the simple things

Earlier this year, one of the biggest security conferences in the world took place and one of the keynote sessions was focused on new trends in cybersecurity and cyber attacks.

While many thought the session would be covering topics such as artificial intelligence or quantum computing, instead, it was all about patches and the fact that companies still don't patch their systems.

Even though it’s been four years since that vulnerability in Microsoft systems was identified, companies big and small are still not taking action on this - with reports that many organisations still haven’t patched for the very vulnerability exploited by NotPetya and WanaCry.

3. Cyber attacks don’t discriminate

Maersk didn't get hit because they were a high profile, big company. They got hit because they had a vulnerability and were interfacing with another system that was infected, perpetuating the attack. This could have happened to any company, large or small, just as easily.

 

Cyber security and protecting sensitive data isn’t just an issue for the IT team – it affects the whole business.

That’s why building a cyber resilient culture is the best way for businesses to prepare themselves in a world where a cyber attack is a very real possibility. 

Get started building a culture of resilience with our guide. 

 

Culture of resilience blog CTA