{ "id": "db21ed1c-e15c-4865-8807-430cadcccd42", "created_at": "2026-04-06T00:15:51.653759Z", "updated_at": "2026-04-10T03:37:50.346228Z", "deleted_at": null, "sha1_hash": "02565c1f41dbf19f8318baa6181f1407ca487d3c", "title": "The Untold Story of NotPetya, the Most Devastating Cyberattack in History", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6640849, "plain_text": "The Untold Story of NotPetya, the Most Devastating Cyberattack\r\nin History\r\nBy Andy Greenberg, Excerpt\r\nPublished: 2018-08-21 · Archived: 2026-04-05 13:42:05 UTC\r\nIt was a perfect sunny summer afternoon in Copenhagen when the world’s largest shipping conglomerate began to\r\nlose its mind.\r\nThe headquarters of A.P. Møller-Maersk sits beside the breezy, cobblestoned esplanade of Copenhagen’s harbor. A\r\nship’s mast carrying the Danish flag is planted by the building’s northeastern corner, and six stories of blue-tinted\r\nwindows look out over the water, facing a dock where the Danish royal family parks its yacht. In the building’s\r\nbasement, employees can browse a corporate gift shop, stocked with Maersk-branded bags and ties, and even a\r\nrare Lego model of the company’s gargantuan Triple-E container ship, a vessel roughly as large as the Empire\r\nState Building laid on its side, capable of carrying another Empire State Building–sized load of cargo stacked on\r\ntop of it.\r\nThat gift shop also houses a technology help center, a single desk manned by IT troubleshooters next to the shop’s\r\ncashier. And on the afternoon of June 27, 2017, confused Maersk staffers began to gather at that help desk in twos\r\nand threes, almost all of them carrying laptops. On the machines’ screens were messages in red and black\r\nlettering. Some read “repairing file system on C:” with a stark warning not to turn off the computer. Others, more\r\nsurreally, read “oops, your important files are encrypted” and demanded a payment of $300 worth of bitcoin to\r\ndecrypt them.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 1 of 14\n\nAcross the street, an IT administrator named Henrik Jensen was working in another part of the Maersk compound,\r\nan ornate white-stone building that in previous centuries had served as the royal archive of maritime maps and\r\ncharts. (Henrik Jensen is not his real name. Like almost every Maersk employee, customer, or partner I\r\ninterviewed, Jensen feared the consequences of speaking publicly for this story.) Jensen was busy preparing a\r\nsoftware update for Maersk’s nearly 80,000 employees when his computer spontaneously restarted.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 2 of 14\n\nHe quietly swore under his breath. Jensen assumed the unplanned reboot was a typically brusque move by\r\nMaersk’s central IT department, a little-loved entity in England that oversaw most of the corporate empire, whose\r\neight business units ranged from ports to logistics to oil drilling, in 574 offices in 130 countries around the globe.\r\nJensen looked up to ask if anyone else in his open-plan office of IT staffers had been so rudely interrupted. And as\r\nhe craned his head, he watched every other computer screen around the room blink out in rapid succession.\r\n“I saw a wave of screens turning black. Black, black, black. Black black black black black,” he says. The PCs,\r\nJensen and his neighbors quickly discovered, were irreversibly locked. Restarting only returned them to the same\r\nblack screen.\r\nAll across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour,\r\nMaersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect\r\nthem from Maersk’s network before the malicious software could infect them, as it dawned on them that every\r\nminute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and\r\nunplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had\r\nbeen paralyzed by the still-mysterious malware, to spread the warning to other sections of the building.\r\nDisconnecting Maersk’s entire global network took the company’s IT staff more than two panicky hours. By the\r\nend of that process, every employee had been ordered to turn off their computer and leave it at their desk. The\r\ndigital phones at every cubicle, too, had been rendered useless in the emergency network shutdown.\r\nAround 3 pm, a Maersk executive walked into the room where Jensen and a dozen or so of his colleagues were\r\nanxiously awaiting news and told them to go home. Maersk’s network was so deeply corrupted that even IT\r\nstaffers were helpless. A few of the company’s more old-school managers told their teams to remain at the office.\r\nBut many employees—rendered entirely idle without computers, servers, routers, or desk phones—simply left.\r\nJensen walked out of the building and into the warm air of a late June afternoon. Like the vast majority of Maersk\r\nstaffers, he had no idea when he might return to work. The maritime giant that employed him, responsible for 76\r\nports on all sides of the earth and nearly 800 seafaring vessels, including container ships carrying tens of millions\r\nof tons of cargo, representing close to a fifth of the entire world’s shipping capacity, was dead in the water.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 3 of 14\n\nMike Mcquade\r\nOn the edge of the trendy Podil neighborhood in the Ukrainian capital of Kiev, coffee shops and parks abruptly\r\nevaporate, replaced by a grim industrial landscape. Under a highway overpass, across some trash-strewn railroad\r\ntracks, and through a concrete gate stands the four-story headquarters of Linkos Group, a small, family-run\r\nUkrainian software business.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 4 of 14\n\nUp three flights of stairs in that building is a server room, where a rack of \r\npizza-box-sized computers is connected\r\nby a tangle of wires and marked with handwritten, numbered labels. On a normal day, these servers push out\r\nroutine updates—bug fixes, security patches, new features—to a piece of accounting software called M.E.Doc,\r\nwhich is more or less Ukraine’s equivalent of TurboTax or Quicken. It’s used by nearly anyone who files taxes or\r\ndoes business in the country.\r\nBut for a moment in 2017, those machines served as ground zero for the most devastating cyberattack since the\r\ninvention of the internet—an attack that began, at least, as an assault on one nation by another.\r\nFor the past four and a half years, Ukraine has been locked in a grinding, undeclared war with Russia that has\r\nkilled more than 10,000 Ukrainians and displaced millions more. The conflict has also seen Ukraine become a\r\nscorched-earth testing ground for Russian cyberwar tactics. In 2015 and 2016, while the Kremlin-linked hackers\r\nknown as Fancy Bear were busy breaking into the US Democratic National Committee’s servers, another group of\r\nagents known as Sandworm was hacking into dozens of Ukrainian governmental organizations and companies.\r\nThey penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that\r\ndestroyed terabytes of data. The attacks followed a sadistic seasonal cadence. In the winters of both years, the\r\nsaboteurs capped off their destructive sprees by causing widespread power outages—the first confirmed blackouts\r\ninduced by hackers.\r\nBut those attacks still weren’t Sandworm’s grand finale. In the spring of 2017, unbeknownst to anyone at Linkos\r\nGroup, Russian military hackers hijacked the company’s update servers to allow them a hidden back door into the\r\nthousands of PCs around the country and the world that have M.E.Doc installed. Then, in June 2017, the saboteurs\r\nused that back door to release a piece of malware called NotPetya, their most vicious cyberweapon yet.\r\nThe code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately. “To date, it\r\nwas simply the fastest-propagating piece of malware we’ve ever seen,” says Craig Williams, director of outreach\r\nat Cisco’s Talos division, one of the first security companies to reverse engineer and analyze NotPetya. “By the\r\nsecond you saw it, your data center was already gone.”\r\nNotPetya was propelled by two powerful hacker exploits working in tandem: One was a penetration tool known as\r\nEternalBlue, created by the US National Security Agency but leaked in a disastrous breach of the agency’s\r\nultrasecret files earlier in 2017. EternalBlue takes advantage of a vulnerability in a particular Windows protocol,\r\nallowing hackers free rein to remotely run their own code on any unpatched machine.\r\nNotPetya’s architects combined that digital skeleton key with an older invention known as Mimikatz, created as a\r\nproof of concept by French security researcher Benjamin Delpy in 2011. Delpy had originally released Mimikatz\r\nto demonstrate that Windows left users’ passwords lingering in computers’ memory. Once hackers gained initial\r\naccess to a computer, Mimikatz could pull those passwords out of RAM and use them to hack into other machines\r\naccessible with the same credentials. On networks with multiuser computers, it could even allow an automated\r\nattack to hopscotch from one machine to the next.\r\nBefore NotPetya’s launch, Microsoft had released a patch for its EternalBlue vulnerability. But EternalBlue and\r\nMimikatz together nonetheless made a virulent combination. “You can infect computers that aren’t patched, and\r\nthen you can grab the passwords from those computers to infect other computers that are patched,” Delpy says.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 5 of 14\n\nNotPetya took its name from its resemblance to the ransomware Petya, a piece of criminal code that surfaced in\r\nearly 2016 and extorted victims to pay for a key to unlock their files. But NotPetya’s ransom messages were only\r\na ruse: The malware’s goal was purely destructive. It irreversibly encrypted computers’ master boot records, the\r\ndeep-seated part of a machine that tells it where to find its own operating system. Any ransom payment that\r\nvictims tried to make was futile. No key even existed to reorder the scrambled noise of their computer’s contents.\r\nThe release of NotPetya was an act of cyberwar by almost any definition—one that was likely more explosive\r\nthan even its creators intended. Within hours of its first appearance, the worm raced beyond Ukraine and out to\r\ncountless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. It ‐\r\ncrippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary\r\nTNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt\r\nBenckiser. In each case, it inflicted nine-figure costs. It even spread back to Russia, striking the state oil company\r\nRosneft.\r\nThe result was more than $10 billion in total damages, according to a White House assessment confirmed to\r\nWIRED by former Homeland Security adviser Tom Bossert, who at the time of the attack was President Trump’s\r\nmost senior cybersecurity-focused official. Bossert and US intelligence agencies also confirmed in February that\r\nRussia’s military—the prime suspect in any cyberwar attack targeting Ukraine—was responsible for launching the\r\nmalicious code. (The Russian foreign ministry declined to answer repeated requests for comment.)\r\nTo get a sense of the scale of NotPetya’s damage, consider the nightmarish but more typical ransomware attack\r\nthat paralyzed the city government of Atlanta this past March: It cost up to $10 million, a tenth of a percent of\r\nNotPetya’s price. Even WannaCry, the more notorious worm that spread a month before NotPetya in May 2017, is\r\nestimated to have cost between $4 billion and $8 billion. Nothing since has come close. “While there was no loss\r\nof life, it was the equivalent of using a nuclear bomb to achieve a small tactical victory,” Bossert says. “That’s a\r\ndegree of recklessness we can’t tolerate on the world stage.”\r\nIn the year since NotPetya shook the world, WIRED has delved into the experience of one corporate goliath\r\nbrought to its knees by Russia’s worm: Maersk, whose malware fiasco uniquely demonstrates the danger that\r\ncyberwar now poses to the infrastructure of the modern world. The executives of the shipping behemoth, like\r\nevery other non-Ukrainian victim WIRED approached to speak about NotPetya, declined to comment in any\r\nofficial capacity for this story. WIRED’s account is instead assembled from current and former Maersk sources,\r\nmany of whom chose to remain anonymous.\r\nBut the story of NotPetya isn’t truly about Maersk, or even about Ukraine. It’s the story of a nation-state’s weapon\r\nof war released in a medium where national borders have no meaning, and where collateral damage travels via a\r\ncruel and unexpected logic: Where an attack aimed at Ukraine strikes Maersk, and an attack on Maersk strikes\r\neverywhere at once.\r\nOleksii Yasinsky expected a calm Tuesday at the office. It was the day before Ukraine’s Constitution Day, a\r\nnational holiday, and most of his coworkers were either planning their vacations or already taking them. But not\r\nYasinsky. For the past year he’d been the head of the cyber lab at Information Systems Security Partners, a\r\ncompany that was quickly becoming the go-to firm for victims of Ukraine’s cyberwar. That job description didn’t\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 6 of 14\n\nlend itself to downtime. Since the first blows of Russia’s cyberattacks hit in late 2015, in fact, he’d allowed\r\nhimself a grand total of one week off.\r\nSo Yasinsky was unperturbed when he received a call that morning from ISSP’s director telling him that\r\nOschadbank, the second-largest bank in Ukraine, was under attack. The bank had told ISSP that it was facing a\r\nransomware infection, an increasingly common crisis for companies around the world targeted by profit-focused\r\ncybercriminals. But when Yasinsky walked into Oschadbank’s IT department at its central Kiev office half an hour\r\nlater, he could tell this was something new. “The staff were lost, confused, in a state of shock,” Yasinsky says.\r\nAround 90 percent of the bank’s thousands of computers were locked, showing NotPetya’s “repairing disk”\r\nmessages and ransom screens.\r\nAfter a quick examination of the bank’s surviving logs, Yasinsky could see that the attack was an automated worm\r\nthat had somehow obtained an administrator’s credentials. That had allowed it to rampage through the bank’s\r\nnetwork like a prison inmate who has stolen the warden’s keys.\r\nAs he analyzed the bank’s breach back in ISSP’s office, Yasinsky started receiving calls and messages from people\r\naround Ukraine, telling him of similar instances in other companies and government agencies. One told him that\r\nanother victim had attempted to pay the ransom. As Yasinsky suspected, the payment had no effect. This was no\r\nordinary ransomware. “There was no silver bullet for this, no antidote,” he says.\r\nA thousand miles to the south, ISSP CEO Roman Sologub was attempting to take a Constitution Day vacation on\r\nthe southern coast of Turkey, preparing to head to the beach with his family. His phone, too, began to explode with\r\ncalls from ISSP clients who were either watching NotPetya tear across their networks or reading news of the\r\nattack and frantically seeking advice.\r\nSologub retreated to his hotel, where he’d spend the rest of the day fielding more than 50 calls from customers\r\nreporting, one after another after another, that their networks had been infected. ISSP’s security operations center,\r\nwhich monitored the networks of clients in real time, warned Sologub that NotPetya was saturating victims’\r\nsystems with terrifying speed: It took 45 seconds to bring down the network of a large Ukrainian bank. A portion\r\nof one major Ukrainian transit hub, where ISSP had installed its equipment as a demonstration, was fully infected\r\nin 16 seconds. Ukrenergo, the energy company whose network ISSP had been helping to rebuild after the 2016\r\nblackout cyberattack, had also been struck yet again. “Do you remember we were about to implement new\r\nsecurity controls?” Sologub recalls a frustrated Ukrenergo IT director asking him on the phone. “Well, too late.”\r\nBy noon, ISSP’s founder, a serial entrepreneur named Oleh Derevianko, had sidelined his vacation too.\r\nDerevianko was driving north to meet his family at his village house for the holiday when the NotPetya calls\r\nbegan. Soon he had pulled off the highway and was working from a roadside restaurant. By the early afternoon, he\r\nwas warning every executive who called to unplug their networks without hesitation, even if it meant shutting\r\ndown their entire company. In many cases, they’d already waited too long. “By the time you reached them, the\r\ninfrastructure was already lost,” Derevianko says.\r\nOn a national scale, NotPetya was eating Ukraine’s computers alive. It would hit at least four hospitals in Kiev\r\nalone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in\r\nretailers and transport, and practically every federal agency. “The government was dead,” summarizes Ukrainian\r\nminister of infrastructure Volodymyr Omelyan. According to ISSP, at least 300 companies were hit, and one senior\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 7 of 14\n\nUkrainian government official estimated that 10 percent of all computers in the country were wiped. The attack\r\neven shut down the computers used by scientists at the Chernobyl cleanup site, 60 miles north of Kiev. “It was a\r\nmassive bombing of all our systems,” Omelyan says.\r\nWhen Derevianko emerged from the restaurant in the early evening, he stopped to refuel his car and found that the\r\ngas station’s credit card payment system had been taken out by NotPetya too. With no cash in his pockets, he eyed\r\nhis gas gauge, wondering if he had enough fuel to reach his village. Across the country, Ukrainians were asking\r\nthemselves similar questions: whether they had enough money for groceries and gas to last through the blitz,\r\nwhether they would receive their paychecks and pensions, whether their prescriptions would be filled. By that\r\nnight, as the outside world was still debating whether NotPetya was criminal ransomware or a weapon of state-sponsored cyberwar, ISSP’s staff had already started referring to it as a new kind of phenomenon: a “massive,\r\ncoordinated cyber invasion.”\r\nAmid that epidemic, one single infection would become particularly fateful for Maersk: In an office in Odessa, a\r\nport city on Ukraine’s Black Sea coast, a finance executive for Maersk’s Ukraine operation had asked IT\r\nadministrators to install the accounting software M.E.Doc on a single computer. That gave NotPetya the only\r\nfoothold it needed.\r\nThe shipping terminal in Elizabeth, New Jersey—one of the 76 that make up the port-operations division of\r\nMaersk known as APM Terminals—sprawls out into Newark Bay on a man-made peninsula covering a full square\r\nmile. Tens of thousands of stacked, perfectly modular shipping containers cover its vast asphalt landscape, and\r\n200-foot-high blue cranes loom over the bay. From the top floors of lower Manhattan’s skyscrapers, five miles\r\naway, they look like brachiosaurs gathered at a Jurassic-era watering hole.\r\nOn a good day, about 3,000 trucks arrive at the terminal, each assigned to pick up or drop off tens of thousands of\r\npounds of everything from diapers to avocados to tractor parts. They start that process, much like airline\r\npassengers, by checking in at the terminal’s gate, where scanners automatically read their container’s barcodes and\r\na Maersk gate clerk talks to the truck driver via a speaker system. The driver receives a printed pass that tells them\r\nwhere to park so that a massive yard crane can haul their container from the truck’s chassis to a stack in the cargo\r\nyard, where it’s loaded onto a container ship and floated across an ocean—or that entire process in reverse order.\r\nOn the morning of June 27, Pablo Fernández was expecting dozens of trucks’ worth of cargo to be shipped out\r\nfrom Elizabeth to a port in the Middle East. Fernández is a so-called freight forwarder—a middleman whom cargo\r\nowners pay to make sure their property arrives safely at a destination halfway around the world. (Fernández is not\r\nhis real name.)\r\nAt around 9 am New Jersey time, Fernández’s phone started buzzing with a succession of screaming calls from\r\nangry cargo owners. All of them had just heard from truck drivers that their vehicles were stuck outside Maersk’s\r\nElizabeth terminal. “People were jumping up and down,” Fernández says. “They couldn’t get their containers in\r\nand out of the gate.”\r\nThat gate, a choke point to Maersk’s entire New Jersey terminal operation, was dead. The gate clerks had gone\r\nsilent.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 8 of 14\n\nSoon, hundreds of 18-wheelers were backed up in a line that stretched for miles outside the terminal. One\r\nemployee at another company’s nearby terminal at the same New Jersey port watched the trucks collect, bumper\r\nto bumper, farther than he could see. He’d seen gate systems go down for stretches of 15 minutes or half an hour\r\nbefore. But after a few hours, still with no word from Maersk, the Port Authority put out an alert that the\r\ncompany’s Elizabeth terminal would be closed for the rest of the day. “That’s when we started to realize,” the\r\nnearby terminal’s staffer remembers, “this was an attack.” Police began to approach drivers in their cabs, telling\r\nthem to turn their massive loads around and clear out.\r\nFernández and countless other frantic Maersk customers faced a set of bleak options: They could try to get their\r\nprecious cargo onto other ships at premium, last-minute rates, often traveling the equivalent of standby. Or, if their\r\ncargo was part of a tight supply chain, like components for a factory, Maersk’s outage could mean shelling out for\r\nexorbitant air freight delivery or risk stalling manufacturing processes, where a single day of downtime costs\r\nhundreds of thousands of dollars. Many of the containers, known as reefers, were electrified and full of perishable\r\ngoods that required refrigeration. They’d have to be plugged in somewhere or their contents would rot.\r\nFernández had to scramble to find a New Jersey warehouse where he could stash his customers’ cargo while he\r\nwaited for word from Maersk. During the entire first day, he says, he received only one official email, which read\r\nlike “gibberish,” from a frazzled Maersk staffer’s Gmail account, offering no real explanation of the mounting\r\ncrisis. The company’s central booking website, Maerskline.com, was down, and no one at the company was\r\npicking up their phones. Some of the containers he’d sent on Maersk’s ships that day would remain lost in cargo\r\nyards and ports around the world for the next three months. “Maersk was like a black hole,” Fernández remembers\r\nwith a sigh. “It was just a clusterfuck.”\r\nIn fact, it was a clusterfuck of clusterfucks. The same scene was playing out at 17 of Maersk’s 76 terminals, from\r\nLos Angeles to Algeciras, Spain, to Rotterdam in the Netherlands, to Mumbai. Gates were down. Cranes were\r\nfrozen. Tens of thousands of trucks would be turned away from comatose terminals across the globe.\r\nNo new bookings could be made, essentially cutting off Maersk’s core source of shipping revenue. The computers\r\non Maersk’s ships weren’t infected. But the terminals’ software, designed to receive the Electronic Data\r\nInterchange files from those ships, which tell terminal operators the exact contents of their massive cargo holds,\r\nhad been entirely wiped away. That left Maersk’s ports with no guide to perform the colossal Jenga game of\r\nloading and unloading their towering piles of containers.\r\nFor days to come, one of the world’s most complex and interconnected distributed machines, underpinning the\r\ncirculatory system of the global economy itself, would remain broken. “It was clear this problem was of a\r\nmagnitude never seen before in global transport,” one Maersk customer remembers. “In the history of shipping IT,\r\nno one has ever gone through such a monumental crisis.”\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 9 of 14\n\nMike McQuade\r\nSeveral days after his screen had gone dark in a corner of Maersk’s office, Henrik Jensen was at home in his\r\nCopenhagen apartment, enjoying a brunch of poached eggs, toast, and marmalade. Since he’d walked out of the\r\noffice the Tuesday before, he hadn’t heard a word from any of his superiors. Then his phone rang.\r\nWhen he answered, he found himself on a conference call with three Maersk staffers. He was needed, they said, at\r\nMaersk’s office in Maidenhead, England, a town west of London where the conglomerate’s IT overlords, Maersk\r\nGroup Infrastructure Services, were based. They told him to drop everything and go there. Immediately.\r\nTwo hours later, Jensen was on a plane to London, then in a car to an eight-story glass-and-brick building in\r\ncentral Maidenhead. When he arrived, he found that the fourth and fifth floors of the building had been converted\r\ninto a 24/7 emergency operations center. Its singular purpose: to rebuild Maersk’s global network in the wake of\r\nits NotPetya meltdown.\r\nSome Maersk staffers, Jensen learned, had been in the recovery center since Tuesday, when NotPetya first struck.\r\nSome had been sleeping in the office, under their desks or in corners of conference rooms. Others seemed to be\r\narriving every minute from other parts of the world, luggage in hand. Maersk had booked practically every hotel\r\nroom within tens of miles, every bed-and-breakfast, every spare room above a pub. Staffers were subsisting on\r\nsnacks that someone had piled up in the office kitchen after a trip to a nearby Sainsbury’s grocery store.\r\nThe Maidenhead recovery center was being managed by the consultancy Deloitte. Maersk had essentially given\r\nthe UK firm a blank check to make its NotPetya problem go away, and at any given time as many as 200 Deloitte\r\nstaffers were stationed in the Maidenhead office, alongside up to 400 Maersk personnel. All computer equipment\r\nused by Maersk from before NotPetya’s outbreak had been confiscated, for fear that it might infect new systems,\r\nand signs were posted threatening disciplinary action against anyone who used it. Instead, staffers had gone into\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 10 of 14\n\nevery available electronics store in Maidenhead and bought up piles of new laptops and prepaid Wi-Fi hot spots.\r\nJensen, like hundreds of other Maersk IT staffers, was given one of those fresh laptops and told to do his job. “It\r\nwas very much just ‘Find your corner, get to work, do whatever needs to be done,’ ” he says.\r\nEarly in the operation, the IT staffers rebuilding Maersk’s network came to a sickening realization. They had\r\nlocated backups of almost all of Maersk’s individual servers, dating from between three and seven days prior to\r\nNotPetya’s onset. But no one could find a backup for one crucial layer of the company’s network: its domain\r\ncontrollers, the servers that function as a detailed map of Maersk’s network and set the basic rules that determine\r\nwhich users are allowed access to which systems.\r\nMaersk’s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory,\r\nany of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted\r\nfor one scenario: where every domain controller is wiped simultaneously. “If we can’t recover our domain\r\ncontrollers,” a Maersk IT staffer remembers thinking, “we can’t recover anything.”\r\nAfter a frantic search that entailed calling hundreds of IT admins in data centers around the world, Maersk’s\r\ndesperate administrators finally found one lone surviving domain controller in a remote office—in Ghana. At\r\nsome point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the computer\r\nremained disconnected from the network. It thus contained the singular known copy of the company’s domain\r\ncontroller data left untouched by the malware—all thanks to a power outage. “There were a lot of joyous whoops\r\nin the office when we found it,” a Maersk administrator says.\r\nWhen the tense engineers in Maidenhead set up a connection to the Ghana office, however, they found its\r\nbandwidth was so thin that it would take days to transmit the several-hundred-gigabyte domain controller backup\r\nto the UK. Their next idea: put a Ghanaian staffer on the next plane to London. But none of the West African\r\noffice’s employees had a British visa.\r\nSo the Maidenhead operation arranged for a kind of relay race: One staffer from the Ghana office flew to Nigeria\r\nto meet another Maersk employee in the airport to hand off the very precious hard drive. That staffer then boarded\r\nthe six-and-a-half-hour flight to Heathrow, carrying the keystone of Maersk’s entire recovery process.\r\nWith that rescue operation completed, the Maidenhead office could begin bringing Maersk’s core services back\r\nonline. After the first days, Maersk’s port operations had regained the ability to read the ships’ inventory files, so\r\noperators were no longer blind to the contents of the hulking, 18,000-container vessels arriving in their harbors.\r\nBut several days would pass after the initial outage before Maersk started taking orders through Maerskline.com\r\nfor new shipments, and it would be more than a week before terminals around the world started functioning with\r\nany degree of normalcy.\r\nIn the meantime, Maersk staffers worked with whatever tools were still available to them. They taped paper\r\ndocuments to shipping containers at APM ports and took orders via personal Gmail accounts, WhatsApp, and\r\nExcel spreadsheets. “I can tell you it’s a fairly bizarre experience to find yourself booking 500 shipping containers\r\nvia WhatsApp, but that’s what we did,” one Maersk customer says.\r\nAbout two weeks after the attack, Maersk’s network had finally reached a point where the company could begin\r\nreissuing personal computers to the majority of staff. Back at the Copenhagen headquarters, a cafeteria in the\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 11 of 14\n\nbasement of the building was turned into a reinstallation assembly line. Computers were lined up 20 at a time on\r\ndining tables as help desk staff walked down the rows, inserting USB drives they’d copied by the dozens, clicking\r\nthrough prompts for hours.\r\nA few days after his return from Maidenhead, Henrik Jensen found his laptop in an alphabetized pile of hundreds,\r\nits hard drive wiped, a clean image of Windows installed. Everything that he and every other Maersk employee\r\nhad stored locally on their machines, from notes to contacts to family photos, was gone.\r\nFive months after Maersk had recovered from its NotPetya attack, Maersk chair Jim Hagemann Snabe sat onstage\r\nat the World Economic Forum meeting in Davos, Switzerland, and lauded the “heroic effort” that went into the\r\ncompany’s IT rescue operation. From June 27, when he was first awakened by a 4 am phone call in California,\r\nahead of a planned appearance at a Stanford conference, he said, it took just 10 days for the company to rebuild its\r\nentire network of 4,000 servers and 45,000 PCs. (Full recovery had taken far longer: Some staffers at the\r\nMaidenhead operation continued to work day and night for close to two months to rebuild Maersk’s software\r\nsetup.) “We overcame the problem with human resilience,” Snabe told the crowd.\r\nSince then, Snabe went on, Maersk has worked not only to improve its cybersecurity but also to make it a\r\n“competitive advantage.” Indeed, in the wake of NotPetya, IT staffers say that practically every security feature\r\nthey’ve asked for has been almost immediately approved. Multifactor authentication has been rolled out across the\r\ncompany, along with a long-delayed upgrade to Windows 10.\r\nSnabe, however, didn’t say much about the company’s security posture pre-NotPetya. Maersk security staffers tell\r\nWIRED that some of the corporation’s servers were, up until the attack, still running Windows 2000—an\r\noperating system so old Microsoft no longer supported it. In 2016, one group of IT executives had pushed for a\r\npreemptive security redesign of Maersk’s entire global network. They called attention to Maersk’s less-than-perfect software patching, outdated operating systems, and above all insufficient network segmentation. That last\r\nvulnerability in particular, they warned, could allow malware with access to one part of the network to spread\r\nwildly beyond its initial foothold, exactly as NotPetya would the next year.\r\nThe security revamp was green-lit and budgeted. But its success was never made a so-called key performance\r\nindicator for Maersk’s most senior IT overseers, so implementing it wouldn’t contribute to their bonuses. They\r\nnever carried the security makeover forward.\r\nFew firms have paid more dearly for dragging their feet on security. In his Davos talk, Snabe claimed that the\r\ncompany suffered only a 20 percent reduction in total shipping volume during its NotPetya outage, thanks to its\r\nquick efforts and manual workarounds. But aside from the company’s lost business and downtime, as well as the\r\ncost of rebuilding an entire network, Maersk also reimbursed many of its customers for the expense of rerouting or\r\nstoring their marooned cargo. One Maersk customer described receiving a seven-figure check from the company\r\nto cover the cost of sending his cargo via last-minute chartered jet. “They paid me a cool million with no more\r\nthan a two-minute discussion,” he says.\r\nAll told, Snabe estimated in his Davos comments, NotPetya cost Maersk between $250 million and $300 million.\r\nMost of the staffers WIRED spoke with privately suspected the company’s accountants had low-balled the figure.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 12 of 14\n\nRegardless, those numbers only start to describe the magnitude of the damage. Logistics companies whose\r\nlivelihoods depend on Maersk-owned terminals weren’t all treated as well during the outage as Maersk’s\r\ncustomers, for instance. Jeffrey Bader, president of a Port Newark–based trucking group, the Association of Bi-State Motor Carriers, estimates that the unreimbursed cost for trucking companies and truckers alone is in the tens\r\nof millions. “It was a nightmare,” Bader says. “We lost a lot of money, and we’re angry.”\r\nThe wider cost of Maersk’s disruption to the global supply chain as a whole—which depends on just-in-time\r\ndelivery of products and manufacturing components—is far harder to measure. And, of course, Maersk was only\r\none victim. Merck, whose ability to manufacture some drugs was temporarily shut down by NotPetya, told\r\nshareholders it lost a staggering $870 million due to the malware. FedEx, whose European subsidiary TNT\r\nExpress was crippled in the attack and required months to recover some data, took a $400 million blow. French\r\nconstruction giant Saint-Gobain lost around the same amount. Reckitt Benckiser, the British manufacturer of\r\nDurex condoms, lost $129 million, and Mondelēz, the owner of chocolate-maker Cadbury, took a $188 million hit.\r\nUntold numbers of victims without public shareholders counted their losses in secret.\r\nOnly when you start to multiply Maersk’s story—imagining the same paralysis, the same serial crises, the same\r\ngrueling recovery—playing out across dozens of other NotPetya victims and countless other industries does the\r\ntrue scale of Russia’s cyberwar crime begin to come into focus.\r\n“This was a very significant wake-up call,” Snabe said at his Davos panel. Then he added, with a Scandinavian\r\ntouch of understatement, “You could say, a very expensive one.”\r\nOne week after NotPetya’s outbreak, Ukrainian police dressed in full SWAT camo gear and armed with assault\r\nrifles poured out of vans and into the modest headquarters of Linkos Group, running up the stairs like SEAL Team\r\nSix invading the bin Laden compound.\r\nThey pointed rifles at perplexed employees and lined them up in the hallway, according to the company’s founder,\r\nOlesya Linnyk. On the second floor, next to her office, the armored cops even smashed open the door to one room\r\nwith a metal baton, in spite of Linnyk’s offer of a key to unlock it. “It was an absurd situation,” Linnyk says after a\r\ndeep breath of exasperation.\r\nThe militarized police squad finally found what it was looking for: the rack of servers that had played the role of\r\npatient zero in the NotPetya plague. They confiscated the offending machines and put them in plastic bags.\r\nEven now, more than a year after the attack’s calamitous spread, cybersecurity experts still argue over the\r\nmysteries of NotPetya. What were the hackers’ true intentions? The Kiev staff of security firm ISSP, including\r\nOleh Derevianko and Oleksii Yasinsky, maintain that the attack was intended not merely for destruction but as a\r\ncleanup effort. After all, the hackers who launched it first had months of unfettered access to victims’ networks.\r\nOn top of the panic and disruption it caused, NotPetya may have also wiped away evidence of espionage or even\r\nreconnaissance for future sabotage. Just in May, the US Justice Department and Ukrainian security services\r\nannounced that they’d disrupted a Russian operation that had infected half a million internet routers—mostly in\r\nUkraine—with a new form of destructive malware.\r\nWhile many in the security community still see NotPetya’s international victims as collateral damage, Cisco’s\r\nCraig Williams argues that Russia knew full well the extent of the pain the worm would inflict internationally.\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 13 of 14\n\nThat fallout, he argues, was meant to explicitly punish anyone who would dare even to maintain an office inside\r\nthe borders of Russia’s enemy. “Anyone who thinks this was accidental is engaged in wishful thinking,” Williams\r\nsays. “This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things\r\nare going to happen to you.”\r\nAlmost everyone who has studied NotPetya, however, agrees on one point: that it could happen again or even\r\nreoccur on a larger scale. Global corporations are simply too interconnected, information security too complex,\r\nattack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm.\r\nRussia, meanwhile, hardly seems to have been chastened by the US government’s sanctions for NotPetya, which\r\narrived a full eight months after the worm hit and whose punishments were muddled with other messages\r\nchastising Russia for everything from 2016 election disinformation to hacker probes of the US power grid. “The\r\nlack of a proper response has been almost an invitation to escalate more,” says Thomas Rid, a political science\r\nprofessor at Johns Hopkins’ School of Advanced International Studies.\r\nBut the most enduring object lesson of NotPetya may simply be the strange, extradimensional landscape of\r\ncyberwar’s battlefield. This is the confounding geography of cyberwarfare: In ways that still defy human intuition,\r\nphantoms inside M.E.Doc’s server room in a gritty corner of Kiev spread chaos into the gilded conference rooms\r\nof the capital’s federal agencies, into ports dotting the globe, into the stately headquarters of Maersk on the\r\nCopenhagen harbor, and across the global economy. “Somehow the vulnerability of this Ukrainian accounting\r\nsoftware affects the US national security supply of vaccines and global shipping?” asks Joshua Corman, a\r\ncybersecurity fellow at the Atlantic Council, as if still puzzling out the shape of the wormhole that made that\r\ncause-and-effect possible. “The physics of cyberspace are wholly different from every other war domain.”\r\nIn those physics, NotPetya reminds us, distance is no defense. Every barbarian is already at every gate. And the\r\nnetwork of entanglements in that ether, which have unified and elevated the world for the past 25 years, can, over\r\na few hours on a summer day, bring it to a crashing halt.\r\nAndy Greenberg (@a_greenberg) is a WIRED senior writer. This story is excerpted from his book Sandworm,\r\nforthcoming from Doubleday.\r\nThis article appears in the September issue. Subscribe now.\r\nMore Great WIRED Stories\r\nSaving lives with tech amid Syria’s endless civil war\r\nMeet the man with a radical plan for blockchain voting\r\nWhy these spiders are wearing face paint and fake lashes\r\nEverything about every hero in Avengers: Infinity War\r\nHow 3-D printing exposes the fallacy of federal gun laws\r\nLooking for more? Sign up for our daily newsletter and never miss our latest and greatest stories\r\nSource: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nhttps://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/" ], "report_names": [ "notpetya-cyberattack-ukraine-russia-code-crashed-the-world" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434551, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02565c1f41dbf19f8318baa6181f1407ca487d3c.pdf", "text": "https://archive.orkl.eu/02565c1f41dbf19f8318baa6181f1407ca487d3c.txt", "img": "https://archive.orkl.eu/02565c1f41dbf19f8318baa6181f1407ca487d3c.jpg" } }