Case Study 13.1: NotPetya — Lateral Movement That Brought Global Shipping to Its Knees

Overview

On June 27, 2017—just six weeks after WannaCry shocked the world—a far more destructive cyberattack launched from Ukraine and spread globally within hours. Initially mistaken for a variant of the Petya ransomware, the attack was quickly recognized as something fundamentally different: a nation-state weapon disguised as ransomware. Named "NotPetya" by the security community, the attack leveraged network-based lateral movement techniques, including the same EternalBlue and EternalRomance exploits used by WannaCry, to devastate organizations worldwide.

NotPetya caused an estimated $10 billion in total damages, making it the most destructive cyberattack in history. Its most prominent victim was Maersk, the Danish shipping and logistics giant responsible for approximately 20% of global container shipping. NotPetya's destruction of Maersk's IT infrastructure illustrates, with terrifying clarity, how network-based lateral movement can transform a single compromised endpoint into a catastrophic organizational failure.

The Attack Vector: M.E.Doc

The Supply Chain Compromise

NotPetya's initial infection vector was not phishing or a vulnerable internet-facing service. It was a supply chain attack targeting M.E.Doc, a Ukrainian accounting software used by virtually every company doing business in Ukraine. The attackers—later attributed to Russia's GRU military intelligence agency, specifically the Sandworm group—compromised M.E.Doc's update server and injected malicious code into a legitimate software update.

When Ukrainian businesses updated their M.E.Doc software on the morning of June 27, they unknowingly downloaded and executed the NotPetya payload. Because M.E.Doc was tax compliance software required by Ukrainian law, the initial infection was massive and immediate, hitting banks, energy companies, media organizations, and government agencies simultaneously.

Why This Matters for Network Security

The supply chain compromise demonstrates that network perimeter defenses are insufficient. The malicious payload arrived through a trusted, digitally signed software update—the same channel used for legitimate security patches. No firewall, IDS, or email filter could have detected it because it was not anomalous traffic; it was exactly what normal M.E.Doc updates looked like.

Lateral Movement: The Destruction Engine

Multi-Vector Propagation

What made NotPetya far more destructive than WannaCry was its sophisticated lateral movement engine. Once on a single machine, NotPetya used multiple techniques simultaneously to spread through the local network:

1. EternalBlue (CVE-2017-0144) The same SMBv1 vulnerability exploited by WannaCry. NotPetya scanned the local network for systems vulnerable to MS17-010 and exploited them automatically. Unlike WannaCry, NotPetya did not scan the broader internet—it focused exclusively on the local network, making it stealthier and more effective against internal targets.

2. EternalRomance (CVE-2017-0145) A second NSA exploit from the Shadow Brokers leak. EternalRomance targeted a different vulnerability in SMBv1, providing an alternative exploitation path for systems where EternalBlue failed. This redundancy made NotPetya's propagation more reliable.

3. Mimikatz-Style Credential Harvesting NotPetya included a custom credential harvesting module based on Mimikatz. On each compromised system, it extracted: - NTLM password hashes from LSASS memory - Cleartext passwords (from WDigest, if available) - Kerberos tickets

These stolen credentials were used for the next lateral movement technique.

4. PsExec and WMI Lateral Movement Using the harvested credentials, NotPetya connected to other systems on the network via: - PsExec — Windows Sysinternals tool for remote command execution. NotPetya included a lightweight PsExec implementation that created remote services. - WMI (Windows Management Instrumentation) — Used to execute the payload on remote systems without creating new services, leaving fewer artifacts.

This combination was devastatingly effective. Even fully patched systems (immune to EternalBlue/EternalRomance) could be compromised if a user with cached credentials on a vulnerable machine had administrative access to the patched system.

The Propagation Algorithm

NotPetya's propagation logic followed a sophisticated sequence:

1. Compromise initial host (via M.E.Doc update)
2. Extract credentials from LSASS memory
3. Enumerate the local network (ARP cache, DHCP leases, Active Directory)
4. For each discovered host:
   a. Try EternalBlue (SMBv1 vulnerability)
   b. Try EternalRomance (SMBv1 variant)
   c. Try PsExec with each set of stolen credentials
   d. Try WMI with each set of stolen credentials
5. On each newly compromised host, repeat from step 2

This multi-vector approach meant that network segmentation alone was not sufficient—if a single user had credentials valid on both sides of a network boundary, NotPetya could jump across it.

The Maersk Catastrophe

Day One: Total Infrastructure Failure

Maersk had offices in Ukraine, and some of those offices used M.E.Doc for tax compliance. When the update delivered NotPetya to a single machine in Odessa, the lateral movement engine activated.

Within seven minutes, NotPetya had spread to the majority of Maersk's global IT infrastructure. The company's Active Directory—the backbone of their Windows environment—was completely compromised. Domain controllers on every continent were hit almost simultaneously because Maersk's global network was relatively flat, with broad trust relationships between sites.

The result was total IT failure: - 49,000 laptops destroyed (operating systems encrypted) - 3,500 servers destroyed - All Active Directory domain controllers compromised except one in Accra, Ghana, which survived only because it had been offline during the attack due to a power outage - Application infrastructure — including the proprietary systems managing global container operations — completely destroyed - Phone systems — Maersk's VoIP systems ran on the same network and were affected

Employees arrived at work to find screens displaying the NotPetya ransom note—though paying the ransom was pointless, as NotPetya's encryption was deliberately irreversible.

The Recovery

Maersk's recovery effort was monumental:

  • The surviving domain controller in Ghana was physically transported to the UK by employees who obtained emergency visas to hand-carry the server
  • Maersk purchased thousands of new laptops, servers, and network devices in the days following the attack—at one point buying every available laptop at a retail electronics chain
  • The company rebuilt its entire IT infrastructure from scratch in ten days
  • During the recovery period, Maersk's 76 port terminals operated manually, with employees using personal Gmail accounts and WhatsApp for communication
  • Container ships continued to arrive at ports, but without IT systems, containers could not be efficiently tracked, loaded, or unloaded

Maersk's CEO later stated the total cost was approximately $300 million—and acknowledged that if not for the offline domain controller in Ghana, the recovery would have been significantly more complex and lengthy.

Lessons for Network-Based Attack Defense

1. Flat Networks Enable Catastrophic Lateral Movement

Maersk's relatively flat network architecture, with broad connectivity between global sites and minimal internal segmentation, allowed NotPetya to spread from a single Ukrainian office to every continent within minutes.

Defense: Implement microsegmentation. Restrict lateral communication between workstations (they rarely need to communicate directly). Segment servers by function. Implement tiered administration where Tier 0 (domain controllers) credentials are never used on Tier 1 or Tier 2 systems.

2. Credential Reuse Amplifies Attack Scope

NotPetya's credential harvesting made patching insufficient. A single unpatched machine could compromise a domain admin's credentials, which were then used to access every other system—patched or not.

Defense: Implement Credential Guard on Windows 10/11 and Windows Server 2016+. Deploy LAPS for unique local administrator passwords. Use Privileged Access Workstations (PAWs) for domain administration. Never use domain admin credentials on regular workstations.

3. Active Directory Is the Crown Jewel

The compromise of Maersk's Active Directory domain controllers was the event that transformed a malware incident into total infrastructure failure. Without AD, nothing worked—authentication, file shares, email, applications—everything depended on Active Directory.

Defense: Protect domain controllers with the highest security controls. Implement tiered administration. Maintain offline backups of AD. Consider deploying Red Forest / Enhanced Security Admin Environment (ESAE) architecture.

4. Network-Based Attacks Require Network-Level Defenses

No amount of endpoint security could have prevented NotPetya's lateral movement via EternalBlue, because the exploit targeted the operating system's network stack. The defense must operate at the network level.

Defense: Disable SMBv1 on all systems. Implement host-based firewalls (Windows Firewall) to restrict which systems can connect to which ports. Deploy network-based IDS to detect exploitation attempts. Use Network Access Control (NAC) to enforce security compliance.

5. Backups Must Survive Network-Wide Compromise

Many of Maersk's backup systems were connected to the same network and were destroyed along with the production systems.

Defense: Maintain air-gapped backups that cannot be reached from the production network. Test restoration regularly. The 3-2-1 rule (3 copies, 2 different media types, 1 offsite) should be the minimum standard, with at least one copy being immutable.

Blue Team Analysis

🔵 Blue Team Perspective: NotPetya represents the worst-case scenario for network-based attacks: multi-vector lateral movement combined with credential theft creating a self-propagating threat that can destroy an entire global IT infrastructure in minutes.

The primary defensive lessons are: - Network segmentation is not optional — it is the single most important architectural defense - Credential hygiene (unique passwords, credential isolation, protected users) prevents credential-based propagation - SMBv1 must be disabled — there is no legitimate reason to run this protocol on modern networks - Detection speed matters — even minutes of delay in detection allows exponential spread - Resilience planning must assume total IT failure — paper-based procedures, communication alternatives, and tested recovery plans are essential

Discussion Questions

  1. NotPetya was attributed to Russia's Sandworm group and is widely considered an act of cyberwarfare targeting Ukraine. Why did it cause so much collateral damage to companies like Maersk that were not the intended targets?

  2. If you were the CISO of a company like MedSecure that has offices in a geopolitically volatile region, how would you architect your network to prevent a NotPetya-style attack from spreading to your global infrastructure?

  3. Maersk's survival depended on a single domain controller in Ghana that happened to be offline during the attack. What does this tell us about the role of luck in disaster recovery? How should organizations design systems that do not depend on luck?

  4. NotPetya used legitimate Windows administration tools (PsExec, WMI) for lateral movement. How can organizations defend against attacks that use their own tools against them?

  5. The supply chain vector (M.E.Doc update) bypassed all traditional security controls. How should organizations evaluate and manage the risk of their software supply chain?

References

  • Greenberg, A. (2018). "The Untold Story of NotPetya, the Most Devastating Cyberattack in History." Wired.
  • Greenberg, A. (2019). Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Doubleday.
  • Microsoft Threat Intelligence Center. (2017). "New ransomware, old techniques: Petya adds worm capabilities."
  • Maersk. (2017). A.P. Moller-Maersk Q3 2017 Earnings Call Transcript.
  • US-CERT. (2017). "Alert TA17-181A: Petya Ransomware."
  • ESET Research. (2017). "TeleBots are back: Supply-chain attacks against Ukraine."