The true story of Notpetya: a Russian cyberweapon that escaped and did $10B in worldwide damage

Andy Greenberg (previously) is a veteran Wired security reporter who has chronicled the frightening and chaotic world of cyberwar since its earliest days; in a forthcoming book called "Sandworm," Greenberg tells the fascinating and terrible tale of Notpetya (previously), a Russian cyberweapon (built on leaked NSA cyberweapons!) that disguised itself as criminal ransomware, but which was designed to identify and destroy key Ukrainian computer systems and networks.

Ukraine has suffered for years as the Russian cyberwar testbed, and this has made Ukraine a kind of crystal ball for seeing into the future of cyberwar.

Notpetya is a disturbing harbringer. Though it was designed to attack Ukrainian systems (it targets systems with a common piece of Ukrainian bookkeeping software), flaws in its design meant that it got out into the wild and shut down some of the world's largest companies, including Maersk, the world's largest shipper. All told, it did $10 billion in damage.

In an excerpt published today, Greenberg tells the story of Maersk's shutdown, a global event that rippled through supply chains and might have been much, much worse (a key piece of data was wiped out on seven mirrored servers and only survived on a system in Ghana due to a freak blackout that shut down the data-center so that the system was knocked offline before it could be infected).

The Maersk story shows how a system that fails in key ways becomes unusable, even if parts of it are unaffected: Maersk's shipboard systems were fine, but there was no way to distribute their loads or take on new cargo -- even the gates at the ports were frozen shut.

After a frantic search that entailed calling hundreds of IT admins in data centers around the world, Maersk’s desperate administrators finally found one lone surviving domain controller in a remote office—in Ghana. At some point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the computer remained disconnected from the network. It thus contained the singular known copy of the company’s domain controller data left untouched by the malware—all thanks to a power outage. “There were a lot of joyous whoops in the office when we found it,” a Maersk administrator says.

When the tense engineers in Maidenhead set up a connection to the Ghana office, however, they found its bandwidth was so thin that it would take days to transmit the several-hundred-gigabyte domain controller backup to the UK. Their next idea: put a Ghanaian staffer on the next plane to London. But none of the West African office’s employees had a British visa.

So the Maidenhead operation arranged for a kind of relay race: One staffer from the Ghana office flew to Nigeria to meet another Maersk employee in the airport to hand off the very precious hard drive. That staffer then boarded the six-and-a-half-hour flight to Heathrow, carrying the keystone of Maersk’s entire recovery process.

The Untold Story of NotPetya, the Most Devastating Cyberattack in History [Andy Greenberg/Wired]

(Image: Mike McQuade)