In 2017, **Maersk**, the world’s largest shipping company, fell victim to the **NotPetya cyber attack**, a state-sponsored malware (attributed to Russia’s military intelligence) that originated in Ukraine and spread globally. The attack crippled Maersk’s IT systems, halting operations across 76 port terminals worldwide—from Los Angeles to New Jersey. Cargo piled up, factories faced delays due to missing parts, and employees resorted to manual tracking using Post-it notes and WhatsApp. The disruption lasted weeks, costing Maersk **hundreds of millions of dollars** in losses, including lost revenue, recovery expenses, and long-term reputational damage. The incident exposed the fragility of global supply chains, demonstrating how a single cyber attack could paralyze critical infrastructure, ripple through economies, and threaten international trade stability. NotPetya remains one of the most destructive cyber attacks in history, underscoring the intersection of cyber warfare and economic security.
TPRM report: https://www.rankiteo.com/company/maersk-group
"id": "mae2632826101025",
"linkid": "maersk-group",
"type": "Cyber Attack",
"date": "6/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Global (thousands of businesses '
'reliant on Maersk’s supply '
'chain)',
'industry': 'Transportation/Logistics',
'location': 'Global (Headquartered in Copenhagen, '
'Denmark)',
'name': 'A.P. Moller-Maersk (Maersk)',
'size': 'World’s largest shipping company (2017)',
'type': 'Multinational Shipping and Logistics '
'Company'}],
'attack_vector': ['Malware (NotPetya)',
'Supply Chain Compromise (via Ukrainian accounting software '
'M.E.Doc)',
'Lateral Movement'],
'customer_advisories': 'Maersk provided real-time updates via its website and '
'customer portals on terminal statuses and expected '
'recovery milestones.',
'data_breach': {'data_encryption': 'No (data was destroyed, not encrypted for '
'ransom)',
'data_exfiltration': 'No (NotPetya was a wiper, not data '
'theft)'},
'date_detected': '2017-06-27',
'date_publicly_disclosed': '2017-06-27',
'description': 'In 2017, Maersk, the world’s largest shipping company, was '
'paralyzed by the NotPetya cyber attack, a state-sponsored '
'attack attributed to Russia’s military intelligence agency. '
'The attack spread from Ukraine into global networks, '
'disrupting terminals from Los Angeles to New Jersey. Cargo '
'operations halted, factories faced delays due to missing '
'parts, and workers resorted to manual processes like Post-it '
"notes and WhatsApp messages. The attack was described as 'the "
"most destructive and costly cyber attack in history,' costing "
'Maersk hundreds of millions of dollars and highlighting '
'vulnerabilities in global supply chains.',
'impact': {'brand_reputation_impact': 'Severe (eroded trust in Maersk’s '
'operational resilience)',
'customer_complaints': 'Widespread (delays, lost shipments, '
'contractual breaches)',
'downtime': 'Weeks (full recovery took months for some systems)',
'financial_loss': 'Hundreds of millions of dollars (estimated $300 '
'million for Maersk alone)',
'operational_impact': ['Paralyzed cargo operations',
'Factory shutdowns due to missing parts',
'Manual workflows (Post-it notes, WhatsApp)',
'Global supply chain ripple effects'],
'revenue_loss': 'Significant (exact figures undisclosed, but '
"described as 'hundreds of millions')",
'systems_affected': ['Global Shipping Terminals',
'Port Operations',
'Logistics Software',
'Internal Communication Systems']},
'initial_access_broker': {'backdoors_established': 'Yes (NotPetya used '
'EternalBlue and other '
'exploits for lateral '
'movement)',
'data_sold_on_dark_web': 'No (attack was '
'destructive, not '
'financially motivated)',
'entry_point': 'Compromised update mechanism of '
'M.E.Doc (Ukrainian accounting '
'software)',
'high_value_targets': ['Ukrainian infrastructure '
'(primary target)',
'Global shipping/logistics '
'(collateral damage)'],
'reconnaissance_period': 'Unknown (likely months, '
'given state-sponsored '
'nature)'},
'investigation_status': 'Closed (attribution confirmed; lessons integrated '
'into cybersecurity practices)',
'lessons_learned': ['Supply chain attacks can have global, cascading effects '
'beyond primary targets.',
'Over-reliance on digital systems without manual '
'fallbacks creates systemic fragility.',
'State-sponsored cyber attacks can disguise as criminal '
'ransomware, complicating attribution and response.',
'Critical infrastructure sectors (e.g., shipping) are '
'highly interdependent and require cross-sector '
'resilience planning.',
'Legacy systems and unpatched vulnerabilities remain '
'major risks in global enterprises.'],
'motivation': ['Geopolitical (targeting Ukraine)',
'Collateral Damage (global spread)',
'Disruption of Critical Infrastructure'],
'post_incident_analysis': {'corrective_actions': ['Maersk rebuilt its entire '
'IT infrastructure with '
'enhanced security '
'controls.',
'Implemented stricter '
'third-party risk '
'management for software '
'suppliers.',
'Developed manual '
'contingency plans for port '
'operations.',
'Invested in cybersecurity '
'training and incident '
'response drills.',
'Advocated for policy '
'changes (e.g., U.S. supply '
'chain resilience '
'legislation).'],
'root_causes': ['Lack of network segmentation '
'allowed rapid lateral spread.',
'Over-reliance on a single '
'software vendor (M.E.Doc) without '
'adequate vetting.',
'Delayed patching of known '
'vulnerabilities (e.g., '
'EternalBlue).',
'Insufficient backup and recovery '
'procedures for critical systems.',
'Underestimation of supply chain '
'as a attack vector.']},
'ransomware': {'data_encryption': 'No (permanent destruction via MBR '
'overwrites)',
'data_exfiltration': 'No',
'ransom_demanded': 'No (NotPetya masqueraded as ransomware but '
'was a wiper)',
'ransom_paid': 'No',
'ransomware_strain': 'NotPetya (variant of Petya)'},
'recommendations': ['Treat supply chains as critical infrastructure with '
'dedicated oversight (e.g., U.S. Promoting Resilient '
'Supply Chains Act).',
'Implement network segmentation and zero-trust '
'architectures to limit lateral movement.',
'Develop and test manual fallback procedures for '
'mission-critical operations.',
'Enhance third-party risk management, especially for '
'software supply chains (e.g., M.E.Doc).',
'Invest in continuous cybersecurity training and red-team '
'exercises for operational resilience.',
'Establish cross-sector councils for coordinated incident '
'response (e.g., ports, logistics, manufacturers).',
'Advocate for international norms against state-sponsored '
'supply chain attacks.'],
'references': [{'date_accessed': '2024-10-01',
'source': 'War on the Rocks',
'url': 'https://warontherocks.com/2024/10/supply-chains-are-the-next-battleground/'},
{'date_accessed': '2017-06-27',
'source': 'Maersk’s Official Statement on NotPetya',
'url': 'https://www.maersk.com/news/2017/06/27/maersk-updates-on-cyber-attack'},
{'date_accessed': '2018-02-15',
'source': 'U.S. White House Attribution of NotPetya to Russia',
'url': 'https://www.whitehouse.gov/briefings-statements/statement-press-secretary-24/'},
{'date_accessed': '2018-08-22',
'source': 'Wired: The Untold Story of NotPetya',
'url': 'https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/'}],
'regulatory_compliance': {'regulatory_notifications': ['Likely notifications '
'to EU GDPR '
'authorities (if '
'applicable)',
'U.S. regulatory '
'disclosures (if '
'required)']},
'response': {'communication_strategy': ['Public statements on operational '
'status',
'Customer advisories on delays',
'Collaboration with media to manage '
'reputation'],
'containment_measures': ['Isolation of infected systems',
'Network segmentation',
'Disconnection of affected terminals'],
'enhanced_monitoring': 'Yes (post-incident security upgrades)',
'incident_response_plan_activated': 'Yes (emergency protocols, '
'manual workflows)',
'law_enforcement_notified': 'Yes (FBI, Danish NCSC, and others)',
'network_segmentation': 'Implemented post-incident',
'recovery_measures': ['Gradual restoration of IT systems',
'Prioritization of critical operations '
'(e.g., port terminals)',
'Enhanced cybersecurity training'],
'remediation_measures': ['Full system rebuilds (10,000+ servers '
'and 4,000+ endpoints)',
'Reimaging of 45,000+ PCs',
'Implementation of stricter access '
'controls'],
'third_party_assistance': ['Cybersecurity Firms (e.g., Mandiant, '
'likely involved)',
'Government Agencies (e.g., Danish '
'and U.S. authorities)']},
'stakeholder_advisories': ['Maersk issued advisories to customers on shipment '
'delays and recovery timelines.',
'U.S. CISA and FBI released alerts on NotPetya '
'indicators of compromise (IOCs).',
'European Union Agency for Cybersecurity (ENISA) '
'published guidance on supply chain risks.'],
'threat_actor': 'Russia’s military intelligence agency (GRU)',
'title': 'NotPetya Cyber Attack on Maersk',
'type': ['Cyber Attack',
'Malware',
'Supply Chain Disruption',
'Ransomware-like (NotPetya)'],
'vulnerability_exploited': ['Unpatched Systems',
'Supply Chain Trust Abuse (M.E.Doc update '
'mechanism)',
'Lack of Network Segmentation']}