Cyber Attack cyber

A.P. Møller Maersk

Jun 3, 2017 2 min read
A.P. Møller Maersk

In June 2017, Maersk, a global shipping leader, fell victim to the **NotPetya malware attack**, a wiper virus disguised as ransomware, which spread via a compromised Ukrainian accounting software update (M.E.Doc). The attack, orchestrated by Russia’s **Sandworm Team (Unit74455)**, targeted Ukraine but caused **collateral damage worldwide**, infecting Maersk’s IT infrastructure across **65 countries**.The impact was catastrophic: **17 shipping terminals** (Ukraine, Russia, Germany, US, UK, France, Denmark, Netherlands) faced **operational paralysis**, with **4,000 servers, 45,000 PCs, and 2,500 applications** requiring complete rebuilds. Financial losses reached **$250–300 million**, alongside **data contamination, delayed deliveries, and port congestion**. Maersk resorted to **manual processes**—paper records, Gmail, WhatsApp, and Excel—to sustain operations.The attack disrupted **global trade flows**, demonstrating how cyber warfare can cripple critical infrastructure. While Ukraine was the primary target, Maersk’s **prolonged outage** and **financial/reputational damage** underscored the **domino effect** of state-sponsored cyberattacks on multinational corporations.

Source: https://www.rtlnieuws.nl/geld-en-werk/artikel/1860486/cyberaanval-kost-maersk-255-miljoen-euro

TPRM report: https://www.rankiteo.com/company/maersk-group

"id": "mae701092025",
"linkid": "maersk-group",
"type": "Cyber Attack",
"date": "6/2017",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"
{'affected_entities': [{'industry': 'Logistics/Transportation',
                        'location': 'Denmark (global operations in 65 '
                                    'countries)',
                        'name': 'A.P. Møller Maersk',
                        'size': 'Large Enterprise',
                        'type': 'Shipping Company'}],
 'attack_vector': ['Compromised Software Update', 'Backdoor in M.E.Doc'],
 'data_breach': {'type_of_data_compromised': 'Data contamination '
                                             '(unspecified)'},
 'date_detected': '2017-06',
 'description': 'In June 2017, A.P. Møller Maersk was hit by the NotPetya '
                'wiper malware, which infected servers globally across 65 '
                'countries. The attack originated from a compromised software '
                'update of the Ukrainian accounting program M.E.Doc, used by '
                "Maersk. The malware, distributed via a backdoor in M.E.Doc's "
                'update process, caused massive disruption, including '
                'financial losses of $250–300 million, data contamination, '
                'delayed container deliveries, and operational chaos. Maersk '
                'had to rebuild 4,000 servers, 45,000 computers, and 2,500 '
                'applications. The attack was attributed to the Russian '
                'Sandworm Team (Unit 74455), targeting Ukraine, with Maersk as '
                'collateral damage.',
 'impact': {'data_compromised': 'Data contamination (unspecified)',
            'financial_loss': '$250–300 million',
            'operational_impact': ['Delayed container deliveries',
                                   'Traffic jams in/around ports',
                                   'Manual processes (paper documents, Gmail, '
                                   'WhatsApp, Excel)'],
            'systems_affected': ['4,000 servers',
                                 '45,000 computers',
                                 '2,500 applications']},
 'initial_access_broker': {'backdoors_established': True,
                           'entry_point': 'Compromised M.E.Doc software update '
                                          '(backdoor)',
                           'high_value_targets': ['Ukrainian tax authorities',
                                                  'M.E.Doc users (including '
                                                  'Maersk)'],
                           'reconnaissance_period': 'Months (prior to June '
                                                    '2017)'},
 'investigation_status': 'Completed (attribution to Sandworm/Unit 74455)',
 'motivation': ['Geopolitical Disruption',
                'Targeting Ukraine (Maersk as collateral damage)'],
 'post_incident_analysis': {'root_causes': ['Supply chain vulnerability '
                                            '(M.E.Doc backdoor)',
                                            'Lack of update integrity checks']},
 'references': [{'source': 'Talos Intelligence (Cisco)'},
                {'source': 'A.P. Møller Maersk public statements'}],
 'response': {'containment_measures': ['Isolation of infected systems',
                                       'Rebuilding IT infrastructure'],
              'incident_response_plan_activated': True,
              'recovery_measures': ['Manual workflows (paper, Gmail, WhatsApp, '
                                    'Excel)'],
              'remediation_measures': ['Rebuilt 4,000 servers',
                                       'Rebuilt 45,000 computers',
                                       'Rebuilt 2,500 applications'],
              'third_party_assistance': ['Talos Security (Cisco)']},
 'threat_actor': ['Russian Sandworm Team', 'Unit 74455'],
 'title': 'NotPetya Cyber Attack on A.P. Møller Maersk',
 'type': ['Malware', 'Wiper Attack', 'Supply Chain Attack'],
 'vulnerability_exploited': 'Backdoor in M.E.Doc software update process'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.