ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Key Takeaways from the NotPetya Malware Infection

Key Takeaways from the NotPetya Malware Infection

Baan Alsinawi, president and founder of TalaTek
| Posted at 3:02 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (0)

Baan AlsinawiWhen we talk about risk management, we are often fixated on protecting data confidentiality and mitigating related risks, but there are other equally compelling concerns, such as data availability. Consider the case of the NotPetya malware, which last year attacked the shipping giant Maersk among other companies.

For Maersk, the attack resulted in the loss of millions of dollars, delayed shipments, and required endless hours of manual paperwork to rebuild every laptop and server for this global company. It is a cautionary tale about data availability risk, continuity of operations and disaster recovery.

The Wired article on this subject reveals the details of how an international, multibillion dollar company was hit by NotPetya: a lethal cocktail featuring a penetration tool called EternalBlue, combined with Mimikatz, a tool that allows hackers to harvest passwords in the RAM of a Windows machine.

By the time Maersk’s security and IT professionals realized what was going on, it was too late—their data was wiped. NotPetya, a malware named for its similarity to the ransomware Petya, was particularly harmful because it didn’t ask for a ransom and no keys were presented for data recovery. Created to disrupt on a global scale, NotPetya left its victims—and the global, interconnected community—facing the harsh new reality of cyberwarfare.

How is this a story about data availability? The glaring flaw in the risk management strategy (where it existed) of NotPetya’s victims, like Maersk, was in their backup and disaster recovery plans. (Unfortunately, at TalaTek, we have seen poor backup and recovery plans more times than not.)

According to published reports of the incident, Maersk had a few hundred domain controllers across the globe, all of which were wiped out in the first few seconds of the attack. The company’s backup plans had not prepared for this scenario.  While the IT department thought there was enough redundancy to protect the company from the impact of outage or failure of any given domain controller, no secure encrypted backups existed to recover a lost domain controller.

From what we can determine, Maersk didn’t plan for the likelihood of a zero day attack that would wipe all domain controllers at once. Without domain controllers to manage access and permissions to the various servers and data structures, there was no way to recover the data.

Fortunately, Maersk had one small bit of luck. An unplanned power outage kept a single server from getting infected, helping preserve a lone domain controller in an office in Ghana. When the office in Ghana didn’t have sufficient bandwidth to synch up the data center over the internet, a relay race was set in motion in which personnel from Ghana frantically met personnel from London in Nigeria!  A perfect Ethan Hunt mission.

The scary reality of the new cyberwarfare landscape is that we are highly susceptible to this risk and cannot defend our digital systems fast enough. We are faced with the reality of being only as secure as our weakest systems. Governments, hospitals, airports, water treatment plants and food manufacturers and distributors — you name it— are all at risk.

A single machine at Maersk started the global meltdown that resulted in an estimated $10 billion in losses when all was said and done. Describing the NotPetya attack, the Wired article observes, “It crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure costs. It even spread back to Russia, striking the state oil company Rosneft.”

What to do? Here are my top 10 tips. Unfortunately, there is nothing glamorous about the work that needs to be done, including:

  • Have good, old-fashioned backups of everything.
  • Test your backups frequently to make sure they work.
  • Use separate keys for encryptions of backups. If you lose your primary data and the secondary backup has a different key, chances are higher that you will be able to recover your data.
  • Design tabletop exercises to mirror disaster and recovery situations that are detailed and realistic, and practice corrective actions.
  • Train everyone in your tabletop tree on their roles and responsibilities when a disaster strikes.
  • Have redundant service providers and redundant locations where data is stored.
  • Back up your domain controllers.
  • Document detailed and thorough restoration plans to rebuild every server.
  • If you are using cloud solutions, leverage the power of the cloud to design effective solutions for recovery.
  • Always understand your risks and remember that the landscape has changed dramatically. Be sure to revisit your cybersecurity plans for disaster recovery every six months.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.