In a previous post, I discussed the dangers of “aftershock” attacks as organizations continue to feel the impact of the WannaCry ransomware attack. Microsoft issued an emergency patch for the exploit behind WannaCry, but the malware continues to impact PCs and servers running older Windows versions.
We also touched on the NotPetya ransomware attack that affected hundreds of companies in June. It disrupted business operations of shipping giant Maersk for two weeks and temporarily shut down the largest cargo terminal at the Port of Los Angeles. Let’s take a closer look at NotPetya and the specifics of the Maersk attack.
NotPetya abused legitimate Windows tools to penetrate deep into the Maersk network while avoiding detection. It used valid authentication credentials, stolen by the Mimikatz tool that extracts passwords from memory, to move laterally within the network. This opened the door to a wide range of crimes. Hackers could steal data, encrypt or block access to files, and create modules capable of infecting additional network systems.
In the case of Maersk, attackers used this method to block access to systems used to operate shipping terminals all over the world. All applications and data were unavailable. Users had their data blocked and were told to pay $300 in bitcoin as ransom. Maersk Line APM Terminals and Damco freight and supply systems were shut down as a precaution. Although no data was lost and the safety of workers was not jeopardized, terminals couldn’t move cargo for two days. Maersk employees were forced to scramble to create and implement workarounds on the fly.
Customers couldn’t make new bookings or receive quotes. The opportunity to ship 70,000 40-foot containers was lost to other firms during two weeks of chaos. It took another two weeks for Maersk to restore business to normal.
The Maersk attack offers a stark reminder of the cost of downtime. As has been widely reported, Maersk estimates revenue losses between $200 million and $300 million, which will be felt primarily in the third quarter. Container shipping levels had returned to normal by mid-July and the company says it has not lost customers as a result of the attack, but profits will not reach expectations this year.
The attack also points to the risks to global supply chains, which have become increasingly popular targets for cybercrime. Ocean supply chains tend to be especially vulnerable due to partnerships with foreign companies that may lack robust security solutions. As a result, organizations need to identify these vulnerabilities and account for the supply chain in their risk management strategy.
Examine not only first-tier partners, but second- and third-tier partners with connections that could be compromised. Prioritize threats to technology and data assets across the supply chain. Educate all employees about the current threat climate and make sure your supply chain security strategy is aligned with your organization’s overall risk management position.
The unfortunate reality is that attacks are inevitable, and a security breach should be viewed as a matter of “when,” not “if.” The key is to upgrade defenses and prepare for various scenarios to minimize business disruption and the cost of downtime.
By John Flores, Vice President of Marketing