![](\"https:\/\/media.wired.com\/photos\/5b733b9c8a992b7a26e92d78\/master\/pass\/notpetya_opener_1.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Wed, 22 Aug 2018 09:00:00 +0000<\/strong><\/p>\n It was a <\/span>perfect sunny summer afternoon in Copenhagen when the world\u2019s largest shipping conglomerate began to lose its mind.<\/p>\n The headquarters of A.P. M\u00f8ller-Maersk sits beside the breezy, cobblestoned esplanade of Copenhagen\u2019s harbor. A ship\u2019s mast carrying the Danish flag is planted by the building\u2019s northeastern corner, and six stories of blue-tinted windows look out over the water, facing a dock where the Danish royal family parks its yacht. In the building\u2019s basement, employees can browse a corporate gift shop, stocked with Maersk-branded bags and ties, and even a rare Lego<\/a> model of the company\u2019s gargantuan Triple-E container ship, a vessel roughly as large as the Empire State Building laid on its side, capable of carrying another Empire State Building\u2013sized load of cargo stacked on top of it.<\/p>\n That gift shop also houses a technology help center, a single desk manned by IT troubleshooters next to the shop\u2019s cashier. And on the afternoon of June 27, 2017, confused Maersk staffers began to gather at that help desk in twos and threes, almost all of them carrying laptops. On the machines\u2019 screens were messages in red and black lettering. Some read \u201crepairing file system on C:\u201d with a stark warning not to turn off the computer. Others, more surreally, read \u201coops, your important files are encrypted\u201d and demanded a payment of $300 worth of bitcoin to decrypt them.<\/p>\n September 2018. Subscribe to WIRED<\/a>.<\/p>\n Across the street, an IT administrator named Henrik Jensen was working in another part of the Maersk compound, an ornate white-stone building that in previous centuries had served as the royal archive of maritime maps and charts. (Henrik Jensen is not his real name. Like almost every Maersk employee, customer, or partner I interviewed, Jensen feared the consequences of speaking publicly for this story.) Jensen was busy preparing a software update for Maersk\u2019s nearly 80,000 employees when his computer spontaneously restarted.<\/p>\n He quietly swore under his breath. Jensen assumed the unplanned reboot was a typically brusque move by Maersk\u2019s central IT department, a little-loved entity in England that oversaw most of the corporate empire, whose eight business units ranged from ports to logistics to oil drilling, in 574 offices in 130 countries around the globe.<\/p>\n Jensen looked up to ask if anyone else in his open-plan office of IT staffers had been so rudely interrupted. And as he craned his head, he watched every other computer screen around the room blink out in rapid succession.<\/p>\n \u201cI saw a wave of screens turning black. Black, black, black. Black black black black black<\/em>,\u201d he says. The PCs, Jensen and his neighbors quickly discovered, were irreversibly locked. Restarting only returned them to the same black screen.<\/p>\n Andy Greenberg (@a_greenberg<\/a>) is a WIRED senior writer. This story is excerpted from his book Sandworm<\/a><\/em>, forthcoming from Doubleday.<\/p>\n All across Maersk headquarters, the full scale of the crisis was starting to become clear. Within half an hour, Maersk employees were running down hallways, yelling to their colleagues to turn off computers or disconnect them from Maersk\u2019s network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. Tech workers ran into conference rooms and unplugged machines in the middle of meetings. Soon staffers were hurdling over locked key-card gates, which had been paralyzed by the still-mysterious malware<\/a>, to spread the warning to other sections of the building.<\/p>\n Disconnecting Maersk\u2019s entire global network took the company\u2019s IT staff more than two panicky hours. By the end of that process, every employee had been ordered to turn off their computer and leave it at their desk. The digital phones at every cubicle, too, had been rendered useless in the emergency network shutdown.<\/p>\n Around 3 pm, a Maersk executive walked into the room where Jensen and a dozen or so of his colleagues were anxiously awaiting news and told them to go home. Maersk\u2019s network was so deeply corrupted that even IT staffers were helpless. A few of the company\u2019s more old-school managers told their teams to remain at the office. But many employees\u2014rendered entirely idle without computers, servers, routers, or desk phones\u2014simply left.<\/p>\n Jensen walked out of the building and into the warm air of a late June afternoon. Like the vast majority of Maersk staffers, he had no idea when he might return to work. The maritime giant that employed him, responsible for 76 ports on all sides of the earth and nearly 800 seafaring vessels, including container ships carrying tens of millions of tons of cargo, representing close to a fifth of the entire world\u2019s shipping capacity, was dead in the water.<\/p>\n On the edge <\/span>of the trendy Podil neighborhood in the Ukrainian capital of Kiev, coffee shops and parks abruptly evaporate, replaced by a grim industrial landscape. Under a highway overpass, across some trash-strewn railroad tracks, and through a concrete gate stands the four-story headquarters of Linkos Group, a small, family-run Ukrainian software business.<\/p>\n Up three flights of stairs in that building is a server room, where a rack of \u00adpizza-box-sized computers is connected by a tangle of wires and marked with handwritten, numbered labels. On a normal day, these servers push out routine updates\u2014bug fixes, security patches, new features\u2014to a piece of accounting software called M.E.Doc, which is more or less Ukraine\u2019s equivalent of TurboTax or Quicken. It\u2019s used by nearly anyone who files taxes or does business in the country.<\/p>\n But for a moment in 2017, those machines served as ground zero for the most devastating cyberattack since the invention of the internet\u2014an attack that began, at least, as an assault on one nation by another.<\/p>\n For the past four and a half years, Ukraine has been locked in a grinding, undeclared war with Russia that has killed more than 10,000 Ukrainians and displaced millions more. The conflict has also seen Ukraine become a scorched-earth testing ground<\/a> for Russian cyberwar tactics. In 2015 and 2016, while the Kremlin-linked hackers known as Fancy Bear<\/a> were busy breaking into the US Democratic National Committee\u2019s servers, another group of agents known as Sandworm<\/a> was hacking into dozens of Ukrainian governmental organizations and companies. They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data. The attacks followed a sadistic seasonal cadence. In the winters of both years, the saboteurs capped off their destructive sprees by causing widespread power outages\u2014the first confirmed blackouts induced by hackers.<\/p>\n But those attacks still weren\u2019t Sandworm\u2019s grand finale. In the spring of 2017, unbeknownst to anyone at Linkos Group, Russian military hackers hijacked the company\u2019s update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have M.E.Doc installed. Then, in June 2017, the saboteurs used that back door to release a piece of malware called \u00adNotPetya, their most vicious cyberweapon yet<\/a>.<\/p>\n The code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately. \u201cTo date, it was simply the fastest-propagating piece of malware we\u2019ve ever seen,\u201d says Craig Williams, director of outreach at Cisco<\/a>\u2019s Talos division, one of the first security companies to reverse engineer and analyze Not\u00adPetya. \u201cBy the second you saw it, your data center was already gone.\u201d<\/p>\n NotPetya was propelled by two powerful hacker exploits working in tandem: One was a penetration tool known as EternalBlue<\/a>, created by the US National Security Agency but leaked in a disastrous breach of the agency\u2019s ultrasecret files earlier in 2017. EternalBlue takes advantage of a vulnerability in a particular Windows protocol, allowing hackers free rein to remotely run their own code on any unpatched machine.<\/p>\n NotPetya\u2019s architects combined that digital skeleton key with an older invention known as Mimikatz<\/a>, created as a proof of concept by French security researcher Benjamin Delpy in 2011. Delpy had originally released Mimikatz to demonstrate that Windows left users\u2019 passwords lingering in computers\u2019 memory. Once hackers gained initial access to a computer, Mimikatz could pull those passwords out of RAM and use them to hack into other machines accessible with the same credentials. On networks with multiuser computers, it could even allow an automated attack to hopscotch from one machine to the next.<\/p>\n Before NotPetya\u2019s launch, Microsoft had released a patch for its EternalBlue vulnerability. But EternalBlue and Mimikatz together nonetheless made a virulent combination. \u201cYou can infect computers that aren\u2019t patched, and then you can grab the passwords from those computers to infect other computers that are<\/em> patched,\u201d Delpy says.<\/p>\n NotPetya took its name from its resemblance to the ransomware Petya<\/a>, a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. But NotPetya\u2019s ransom messages were only a ruse: The malware\u2019s goal was purely destructive. It irreversibly encrypted computers\u2019 master boot records, the deep-seated part of a machine that tells it where to find its own operating system. Any ransom payment that victims tried to make was futile. No key even existed to reorder the scrambled noise of their computer\u2019s contents.<\/p>\n The weapon\u2019s target was Ukraine. But its blast radius was the entire world. \u201cIt was the equivalent of using a nuclear bomb to achieve a small tactical victory,\u201d Bossert says.<\/p>\n The release of NotPetya was an act of cyberwar<\/a> by almost any definition\u2014one that was likely more explosive than even its creators intended. Within hours of its first appearance, the worm raced beyond Ukraine and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. It \u00adcrippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx\u2019s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondel\u0113z, and manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure costs. It even spread back to Russia, striking the state oil company Rosneft.<\/p>\n The result was more than $10 billion in total damages, according to a White House assessment confirmed to WIRED by former Homeland Security adviser Tom Bossert<\/a>, who at the time of the attack was President Trump\u2019s most senior cybersecurity-\u00adfocused official. Bossert and US intelligence agencies also confirmed in February<\/a> that Russia\u2019s military\u2014the prime suspect in any cyberwar attack targeting Ukraine\u2014was responsible for launching the malicious code. (The Russian foreign ministry declined to answer repeated requests for comment.)<\/p>\n To get a sense of the scale of NotPetya\u2019s damage, consider the nightmarish but more typical ransomware attack that paralyzed the city government of Atlanta this past March: It cost up to $10 million, a tenth of a percent of NotPetya\u2019s price. Even WannaCry<\/a>, the more notorious worm that spread a month before NotPetya in May 2017, is estimated to have cost between $4 billion and $8 billion. Nothing since has come close. \u201cWhile there was no loss of life, it was the equivalent of using a nuclear bomb to achieve a small tactical victory,\u201d Bossert says. \u201cThat\u2019s a degree of recklessness we can\u2019t tolerate on the world stage.\u201d<\/p>\n In the year since NotPetya shook the world, WIRED has delved into the experience of one corporate goliath brought to its knees by Russia\u2019s worm: Maersk, whose malware fiasco uniquely demonstrates the danger that cyberwar now poses to the infrastructure of the modern world. The executives of the shipping behemoth, like every other non-Ukrainian victim WIRED approached to speak about NotPetya, declined to comment in any official capacity for this story. WIRED\u2019s account is instead assembled from current and former Maersk sources, many of whom chose to remain anonymous.<\/p>\n But the story of NotPetya isn\u2019t truly about Maersk, or even about Ukraine. It\u2019s the story of a nation-state\u2019s weapon of war released in a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic: Where an attack aimed at Ukraine strikes Maersk, and an attack on Maersk strikes everywhere at once.<\/p>\n Oleksii Yasinsky expected <\/span>a calm Tuesday at the office. It was the day before Ukraine\u2019s Constitution Day, a national holiday, and most of his coworkers were either planning their vacations or already taking them. But not Yasinsky. For the past year he\u2019d been the head of the cyber lab at Information Systems Security Partners, a company that was quickly becoming the go-to firm for victims of Ukraine\u2019s cyberwar. That job description didn\u2019t lend itself to downtime. Since the first blows of Russia\u2019s cyberattacks hit in late 2015, in fact, he\u2019d allowed himself a grand total of one week off.<\/p>\n So Yasinsky was unperturbed when he received a call that morning from ISSP\u2019s director telling him that Oschadbank, the second-largest bank in Ukraine, was under attack. The bank had told ISSP that it was facing a ransomware infection, an increasingly common crisis for companies around the world targeted by profit-focused cybercriminals. But when Yasinsky walked into Oschadbank\u2019s IT department at its central Kiev office half an hour later, he could tell this was something new. \u201cThe staff were lost, confused, in a state of shock,\u201d Yasinsky says. Around 90 percent of the bank\u2019s thousands of computers were locked, showing NotPetya\u2019s \u201crepairing disk\u201d messages and ransom screens.<\/p>\n After a quick examination of the bank\u2019s surviving logs, Yasinsky could see that the attack was an automated worm that had somehow obtained an administrator\u2019s credentials. That had allowed it to rampage through the bank\u2019s network like a prison inmate who has stolen the warden\u2019s keys.<\/p>\n As he analyzed the bank\u2019s breach back in ISSP\u2019s office, Yasinsky started receiving calls and messages from people around Ukraine, telling him of similar instances in other companies and government agencies. One told him that another victim had attempted to pay the ransom. As Yasinsky suspected, the payment had no effect. This was no ordinary ransomware. \u201cThere was no silver bullet for this, no antidote,\u201d he says.<\/p>\n In 2017, the malware NotPetya spread from the servers of an unassuming Ukrainian software firm to some of the largest businesses worldwide, paralyzing their operations. Here\u2019s a list of the approximate damages reported by some of the worm\u2019s biggest victims.<\/p>\n Pharmaceutical company Merck<\/p>\n Delivery company FedEx (through European subsidiary TNT Express)<\/p>\n French construction company Saint-Gobain<\/p>\n Danish shipping company Maersk<\/p>\n Snack company Mondel\u0113z (parent company of Nabisco and Cadbury)<\/p>\n British manufacturer Reckitt Benckiser (owner of Lysol and Durex condoms)<\/p>\n Total damages from NotPetya, as estimated by the White House<\/p>\n A thousand miles to the south, ISSP CEO Roman Sologub was attempting to take a Constitution Day vacation on the southern coast of Turkey, preparing to head to the beach with his family. His phone, too, began to explode with calls from ISSP clients who were either watching NotPetya tear across their networks or reading news of the attack and frantically seeking advice.<\/p>\n Sologub retreated to his hotel, where he\u2019d spend the rest of the day fielding more than 50 calls from customers reporting, one after another after another, that their networks had been infected. ISSP\u2019s security operations center, which monitored the networks of clients in real time, warned Sologub that NotPetya was saturating victims\u2019 systems with terrifying speed: It took 45 seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub, where ISSP had installed its equipment as a demonstration, was fully infected in 16 seconds. Ukrenergo, the energy company whose network ISSP had been helping to rebuild after the 2016 blackout cyberattack, had also been struck yet again. \u201cDo you remember we were about to implement new security controls?\u201d Sologub recalls a frustrated Ukrenergo IT director asking him on the phone. \u201cWell, too late.\u201d<\/p>\n By noon, ISSP\u2019s founder, a serial entrepreneur named Oleh Derevianko, had sidelined his vacation too. Derevianko was driving north to meet his family at his village house for the holiday when the NotPetya calls began. Soon he had pulled off the highway and was working from a roadside restaurant. By the early afternoon, he was warning every executive who called to unplug their networks without hesitation, even if it meant shutting down their entire company. In many cases, they\u2019d already waited too long. \u201cBy the time you reached them, the infrastructure was already lost,\u201d Derevianko says.<\/p>\n On a national scale, NotPetya was eating Ukraine\u2019s computers alive. It would hit at least four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency. \u201cThe government was dead,\u201d summarizes Ukrainian minister of infrastructure Volodymyr Omelyan. According to ISSP, at least 300 companies were hit, and one senior Ukrainian government official estimated that 10 percent of all computers in the country were wiped. The attack even shut down the computers used by scientists at the Chernobyl cleanup site, 60 miles north of Kiev. \u201cIt was a massive bombing of all our systems,\u201d Omelyan says.<\/p>\n When Derevianko emerged from the restaurant in the early evening, he stopped to refuel his car and found that the gas station\u2019s credit card payment system had been taken out by NotPetya too. With no cash in his pockets, he eyed his gas gauge, wondering if he had enough fuel to reach his village. Across the country, Ukrainians were asking themselves similar questions: whether they had enough money for groceries and gas to last through the blitz, whether they would receive their paychecks and pensions, whether their prescriptions would be filled. By that night, as the outside world was still debating whether NotPetya was criminal ransom\u00adware or a weapon of state-sponsored cyberwar, ISSP\u2019s staff had already started referring to it as a new kind of phenomenon: a \u201cmassive, coordinated cyber invasion.\u201d<\/p>\n Amid that epidemic, one single infection would become particularly fateful for Maersk: In an office in Odessa, a port city on Ukraine\u2019s Black Sea coast, a finance executive for Maersk\u2019s Ukraine operation had asked IT administrators to install the accounting software M.E.Doc on a single computer. That gave NotPetya the only foothold it needed.<\/p>\n The shipping terminal <\/span>in Elizabeth, New Jersey\u2014one of the 76 that make up the port-operations division of Maersk known as APM Terminals\u2014sprawls out into Newark Bay on a man-made peninsula covering a full square mile. Tens of thousands of stacked, perfectly modular shipping containers cover its vast asphalt landscape, and 200-foot-high blue cranes loom over the bay. From the top floors of lower Manhattan\u2019s skyscrapers, five miles away, they look like brachiosaurs gathered at a Jurassic-era watering hole.<\/p>\n On a good day, about 3,000 trucks arrive at the terminal, each assigned to pick up or drop off tens of thousands of pounds of everything from diapers to avocados to tractor parts. They start that process, much like airline passengers, by checking in at the terminal\u2019s gate, where scanners automatically read their container\u2019s barcodes and a Maersk gate clerk talks to the truck driver via a speaker system. The driver receives a printed pass that tells them where to park so that a massive yard crane can haul their container from the truck\u2019s chassis to a stack in the cargo yard, where it\u2019s loaded onto a container ship and floated across an ocean\u2014or that entire process in reverse order.<\/p>\n On the morning of June 27, Pablo Fern\u00e1ndez was expecting dozens of trucks\u2019 worth of cargo to be shipped out from Elizabeth to a port in the Middle East. Fern\u00e1ndez is a so-called freight forwarder\u2014a middleman whom cargo owners pay to make sure their property arrives safely at a destination halfway around the world. (Fern\u00e1ndez is not his real name.)<\/p>\n At around 9 am New Jersey time, Fern\u00e1ndez\u2019s phone started buzzing with a succession of screaming calls from angry cargo owners. All of them had just heard from truck drivers that their vehicles were stuck outside Maersk\u2019s Elizabeth terminal. \u201cPeople were jumping up and down,\u201d Fern\u00e1ndez says. \u201cThey couldn\u2019t get their containers in and out of the gate.\u201d<\/p>\n That gate, a choke point to Maersk\u2019s entire New Jersey terminal operation, was dead. The gate clerks had gone silent.<\/p>\n Soon, hundreds of 18-wheelers were backed up in a line that stretched for miles outside the terminal. One employee at another company\u2019s nearby terminal at the same New Jersey port watched the trucks collect, bumper to bumper, farther than he could see. He\u2019d seen gate systems go down for stretches of 15 minutes or half an hour before. But after a few hours, still with no word from Maersk, the Port Authority put out an alert that the company\u2019s Elizabeth terminal would be closed for the rest of the day. \u201cThat\u2019s when we started to realize,\u201d the nearby terminal\u2019s staffer remembers, \u201cthis was an attack.\u201d Police began to approach drivers in their cabs, telling them to turn their massive loads around and clear out.<\/p>\n Fern\u00e1ndez and countless other frantic Maersk customers faced a set of bleak options: They could try to get their precious cargo onto other ships at premium, last-minute rates, often traveling the equivalent of standby. Or, if their cargo was part of a tight supply chain, like components for a factory, Maersk\u2019s outage could mean shelling out for exorbitant air freight delivery or risk stalling manufacturing processes, where a single day of downtime costs hundreds of thousands of dollars. Many of the containers, known as reefers, were electrified and full of perishable goods that required refrigeration. They\u2019d have to be plugged in somewhere or their contents would rot.<\/p>\n Fern\u00e1ndez had to scramble to find a New Jersey warehouse where he could stash his customers\u2019 cargo while he waited for word from Maersk. During the entire first day, he says, he received only one official email, which read like \u201cgibberish,\u201d from a frazzled Maersk staffer\u2019s Gmail account, offering no real explanation of the mounting crisis. The company\u2019s central booking website, Maerskline.com, was down, and no one at the company was picking up their phones. Some of the containers he\u2019d sent on Maersk\u2019s ships that day would remain lost in cargo yards and ports around the world for the next three months. \u201cMaersk was like a black hole,\u201d Fern\u00e1ndez remembers with a sigh. \u201cIt was just a clusterfuck.\u201d<\/p>\n In fact, it was a clusterfuck of clusterfucks. The same scene was playing out at 17 of Maersk\u2019s 76 terminals, from Los Angeles to Algeciras, Spain, to Rotterdam in the Netherlands, to Mumbai. Gates were down. Cranes were frozen. Tens of thousands of trucks would be turned away from comatose terminals across the globe.<\/p>\n No new bookings could be made, essentially cutting off Maersk\u2019s core source of shipping revenue. The computers on Maersk\u2019s ships weren\u2019t infected. But the terminals\u2019 software, designed to receive the Electronic Data Interchange files from those ships, which tell terminal operators the exact contents of their massive cargo holds, had been entirely wiped away. That left Maersk\u2019s ports with no guide to perform the colossal Jenga game of loading and unloading their towering piles of containers.<\/p>\n For days to come, one of the world\u2019s most complex and interconnected distributed machines, underpinning the circulatory system of the global economy itself, would remain broken. \u201cIt was clear this problem was of a magnitude never seen before in global transport,\u201d one Maersk customer remembers. \u201cIn the history of shipping IT, no one has ever gone through such a monumental crisis.\u201d<\/p>\n Several days after <\/span>his screen had gone dark in a corner of Maersk\u2019s office, Henrik Jensen was at home in his Copenhagen apartment, enjoying a brunch of poached eggs, toast, and marmalade. Since he\u2019d walked out of the office the Tuesday before, he hadn\u2019t heard a word from any of his superiors. Then his phone rang.<\/p>\n When he answered, he found himself on a conference call with three Maersk staffers. He was needed, they said, at Maersk\u2019s office in Maidenhead, England, a town west of London where the conglomerate\u2019s IT overlords, Maersk Group Infrastructure Services, were based. They told him to drop everything and go there. Immediately.<\/p>\n Two hours later, Jensen was on a plane to London, then in a car to an eight-story glass-and-brick building in central Maidenhead. When he arrived, he found that the fourth and fifth floors of the building had been converted into a 24\/7 emergency operations center. Its singular purpose: to rebuild Maersk\u2019s global network in the wake of its NotPetya meltdown.<\/p>\n Some Maersk staffers, Jensen learned, had been in the recovery center since Tuesday, when NotPetya first struck. Some had been sleeping in the office, under their desks or in corners of conference rooms. Others seemed to be arriving every minute from other parts of the world, luggage in hand. Maersk had booked practically every hotel room within tens of miles, every bed-and-breakfast, every spare room above a pub. Staffers were subsisting on snacks that someone had piled up in the office kitchen after a trip to a nearby Sainsbury\u2019s grocery store.<\/p>\n The Maidenhead recovery center was being managed by the consultancy Deloitte. Maersk had essentially given the UK firm a blank check to make its NotPetya problem go away, and at any given time as many as 200 Deloitte staffers were stationed in the Maidenhead office, alongside up to 400 Maersk personnel. All computer equipment used by Maersk from before NotPetya\u2019s outbreak had been confiscated, for fear that it might infect new systems, and signs were posted threatening disciplinary action against anyone who used it. Instead, staffers had gone into every available electronics store in Maidenhead and bought up piles of new laptops and prepaid Wi-Fi hot spots. Jensen, like hundreds of other Maersk IT staffers, was given one of those fresh laptops and told to do his job. \u201cIt was very much just \u2018Find your corner, get to work, do whatever needs to be done,\u2019\u2009\u201d he says.<\/p>\n Early in the operation, the IT staffers rebuilding Maersk\u2019s network came to a sickening realization. They had located backups of almost all of Maersk\u2019s individual servers, dating from between three and seven days prior to NotPetya\u2019s onset. But no one could find a backup for one crucial layer of the company\u2019s network: its domain controllers, the servers that function as a detailed map of Maersk\u2019s network and set the basic rules that determine which users are allowed access to which systems.<\/p>\n Maersk\u2019s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn\u2019t accounted for one scenario: where every domain controller is wiped simultaneously. \u201cIf we can\u2019t recover our domain controllers,\u201d a Maersk IT staffer remembers thinking, \u201cwe can\u2019t recover anything.\u201d<\/p>\n After a frantic global search, the admins finally found one lone surviving domain controller in a remote office\u2014in Ghana.<\/p>\n After a frantic search that entailed calling hundreds of IT admins in data centers around the world, Maersk\u2019s desperate administrators finally found one lone surviving domain controller in a remote office\u2014in Ghana. At some point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the computer remained disconnected from the network. It thus contained the singular known copy of the company\u2019s domain controller data left untouched by the malware\u2014all thanks to a power outage. \u201cThere were a lot of joyous whoops in the office when we found it,\u201d a Maersk administrator says.<\/p>\n When the tense engineers in Maidenhead set up a connection to the Ghana office, however, they found its bandwidth was so thin that it would take days to transmit the several-hundred-gigabyte domain controller backup to the UK. Their next idea: put a Ghanaian staffer on the next plane to London. But none of the West African office\u2019s employees had a British visa.<\/p>\n So the Maidenhead operation arranged for a kind of relay race: One staffer from the Ghana office flew to Nigeria to meet another Maersk employee in the airport to hand off the very precious hard drive. That staffer then boarded the six-and-a-half-hour flight to Heathrow, carrying the keystone of Maersk\u2019s entire recovery process.<\/p>\n With that rescue operation completed, the Maidenhead office could begin bringing Maersk\u2019s core services back online. After the first days, Maersk\u2019s port operations had regained the ability to read the ships\u2019 inventory files, so operators were no longer blind to the contents of the hulking, 18,000-container vessels arriving in their harbors. But several days would pass after the initial outage before Maersk started taking orders through Maerskline.com for new shipments, and it would be more than a week before terminals around the world started functioning with any degree of normalcy.<\/p>\n In the meantime, Maersk staffers worked with whatever tools were still available to them. They taped paper documents to shipping containers at APM ports and took orders via personal Gmail accounts, WhatsApp, and Excel spreadsheets. \u201cI can tell you it\u2019s a fairly bizarre experience to find yourself booking 500 shipping containers via WhatsApp, but that\u2019s what we did,\u201d one Maersk customer says.<\/p>\n About two weeks after the attack, Maersk\u2019s network had finally reached a point where the company could begin reissuing personal computers to the majority of staff. Back at the Copenhagen headquarters, a cafeteria in the basement of the building was turned into a reinstallation assembly line. Computers were lined up 20 at a time on dining tables as help desk staff walked down the rows, inserting USB drives they\u2019d copied by the dozens, clicking through prompts for hours.<\/p>\n A few days after his return from Maidenhead, Henrik Jensen found his laptop in an alphabetized pile of hundreds, its hard drive wiped, a clean image of Windows installed. Everything that he and every other Maersk employee had stored locally on their machines, from notes to contacts to family photos, was gone.<\/p>\n Five months after <\/span>Maersk had recovered from its NotPetya attack, Maersk chair Jim Hagemann Snabe sat onstage at the World Economic Forum meeting in Davos, Switzerland, and lauded the \u201cheroic effort\u201d that went into the company\u2019s IT rescue operation. From June 27, when he was first awakened by a 4 am phone call in California, ahead of a planned appearance at a Stanford conference, he said, it took just 10 days for the company to rebuild its entire network of 4,000 servers and 45,000 PCs. (Full recovery had taken far longer: Some staffers at the Maidenhead operation continued to work day and night for close to two months to rebuild Maersk\u2019s software setup.) \u201cWe overcame the problem with human resilience,\u201d Snabe told the crowd.<\/p>\n Since then, Snabe went on, Maersk has worked not only to improve its cybersecurity but also to make it a \u201ccompetitive advantage.\u201d Indeed, in the wake of NotPetya, IT staffers say that practically every security feature they\u2019ve asked for has been almost immediately approved. Multifactor authentication has been rolled out across the company, along with a long-delayed upgrade to Windows 10.<\/p>\n Snabe, however, didn\u2019t say much about the company\u2019s security posture pre-NotPetya. Maersk security staffers tell WIRED that some of the corporation\u2019s servers were, up until the attack, still running Windows 2000\u2014an operating system so old Microsoft no longer supported it. In 2016, one group of IT executives had pushed for a preemptive security redesign of Maersk\u2019s entire global network. They called attention to Maersk\u2019s less-than-perfect software patching, outdated operating systems, and above all insufficient network segmentation. That last vulnerability in particular, they warned, could allow malware with access to one part of the network to spread wildly beyond its initial foothold, exactly as NotPetya would the next year.<\/p>\n The security revamp was green-lit and budgeted. But its success was never made a so-called key performance indicator for Maersk\u2019s most senior IT overseers, so implementing it wouldn\u2019t contribute to their bonuses. They never carried the security makeover forward.<\/p>\n Few firms have paid more dearly for dragging their feet on security. In his Davos talk, Snabe claimed that the company suffered only a 20 percent reduction in total shipping volume during its NotPetya outage, thanks to its quick efforts and manual workarounds. But aside from the company\u2019s lost business and downtime, as well as the cost of rebuilding an entire network, Maersk also reimbursed many of its customers for the expense of rerouting or storing their marooned cargo. One Maersk customer described receiving a seven-figure check from the company to cover the cost of sending his cargo via last-minute chartered jet. \u201cThey paid me a cool million with no more than a two-minute discussion,\u201d he says.<\/p>\n On top of the panic and disruption it caused, NotPetya may have wiped away evidence of espionage or even reconnaissance for future sabotage.<\/p>\n All told, Snabe estimated in his Davos comments, NotPetya cost Maersk between $250 million and $300 million. Most of the staffers WIRED spoke with privately suspected the company\u2019s accountants had low-balled the figure.<\/p>\n Regardless, those numbers only start to describe the magnitude of the damage. Logistics companies whose livelihoods depend on Maersk-owned terminals weren\u2019t all treated as well during the outage as Maersk\u2019s customers, for instance. Jeffrey Bader, president of a Port Newark\u2013based trucking group, the Association of Bi-State Motor Carriers, estimates that the unreimbursed cost for trucking companies and truckers alone is in the tens of millions. \u201cIt was a nightmare,\u201d Bader says. \u201cWe lost a lot of money, and we\u2019re angry.\u201d<\/p>\n The wider cost of Maersk\u2019s disruption to the global supply chain as a whole\u2014which depends on just-in-time delivery of products and manufacturing components\u2014is far harder to measure. And, of course, Maersk was only one victim. Merck, whose ability to manufacture some drugs was temporarily shut down by NotPetya, told shareholders it lost a staggering $870 million due to the malware. FedEx, whose European subsidiary TNT Express was crippled in the attack and required months to recover some data, took a $400 million blow. French construction giant Saint-Gobain lost around the same amount. Reckitt Benckiser, the British manufacturer of Durex condoms, lost $129 million, and Mondel\u0113z, the owner of chocolate-maker Cadbury, took a $188 million hit. Untold numbers of victims without public shareholders counted their losses in secret.<\/p>\n Only when you start to multiply Maersk\u2019s story\u2014imagining the same paralysis, the same serial crises, the same grueling recovery\u2014playing out across dozens of other NotPetya victims and countless other industries does the true scale of Russia\u2019s cyberwar crime begin to come into focus.<\/p>\n \u201cThis was a very significant wake-up call,\u201d Snabe said at his Davos panel. Then he added, with a Scandinavian touch of understatement, \u201cYou could say, a very expensive one.\u201d<\/p>\n One week after <\/span>NotPetya\u2019s outbreak, Ukrainian police dressed in full SWAT camo gear and armed with assault rifles poured out of vans and into the modest headquarters of Linkos Group, running up the stairs like SEAL Team Six invading the bin Laden compound.<\/p>\n They pointed rifles at perplexed employees and lined them up in the hallway, according to the company\u2019s founder, Olesya Linnyk. On the second floor, next to her office, the armored cops even smashed open the door to one room with a metal baton, in spite of Linnyk\u2019s offer of a key to unlock it. \u201cIt was an absurd situation,\u201d Linnyk says after a deep breath of exasperation.<\/p>\n The militarized police squad finally found what it was looking for: the rack of servers that had played the role of patient zero in the NotPetya plague. They confiscated the offending machines and put them in plastic bags.<\/p>\n Even now, more than a year after the attack\u2019s calamitous spread, cybersecurity experts still argue over the mysteries of NotPetya. What were the hackers\u2019 true intentions? The Kiev staff of security firm ISSP, including Oleh Derevianko and Oleksii Yasinsky, maintain that the attack was intended not merely for destruction but as a cleanup effort. After all, the hackers who launched it first had months of unfettered access to victims\u2019 networks. On top of the panic and disruption it caused, NotPetya may have also wiped away evidence of espionage or even reconnaissance for future sabotage. Just in May, the US Justice Department and Ukrainian security services announced that they\u2019d disrupted a Russian operation that had infected half a million internet routers\u2014mostly in Ukraine\u2014with a new form of destructive malware.<\/p>\n While many in the security community still see NotPetya\u2019s international victims as collateral damage, Cisco\u2019s Craig Williams argues that Russia knew full well the extent of the pain the worm would inflict internationally. That fallout, he argues, was meant to explicitly punish anyone who would dare even to maintain an office inside the borders of Russia\u2019s enemy. \u201cAnyone who thinks this was accidental is engaged in wishful thinking,\u201d Williams says. \u201cThis was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.\u201d<\/p>\n Almost everyone who has studied NotPetya, however, agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm. Russia, meanwhile, hardly seems to have been chastened by the US government\u2019s sanctions for NotPetya, which arrived a full eight months after the worm hit and whose punishments were muddled with other messages chastising Russia for everything from 2016 election disinformation to hacker probes of the US power grid. \u201cThe lack of a proper response has been almost an invitation to escalate more,\u201d says Thomas Rid, a political science professor at Johns Hopkins\u2019 School of Advanced International Studies.<\/p>\n But the most enduring object lesson of NotPetya may simply be the strange, extra\u00addimensional landscape of cyberwar\u2019s battlefield. This is the confounding geography of cyberwarfare: In ways that still defy human intuition, phantoms inside M.E.Doc\u2019s server room in a gritty corner of Kiev spread chaos into the gilded conference rooms of the capital\u2019s federal agencies, into ports dotting the globe, into the stately headquarters of Maersk on the Copenhagen harbor, and across the global economy. \u201cSomehow the vulnerability of this Ukrainian accounting software affects the US national security supply of vaccines and global shipping?\u201d asks Joshua Corman, a cybersecurity fellow at the Atlantic Council, as if still puzzling out the shape of the wormhole that made that cause-and-effect possible. \u201cThe physics of cyberspace are wholly different from every other war domain.\u201d<\/p>\n In those physics, NotPetya reminds us, distance is no defense. Every barbarian is already at every gate. And the network of entanglements in that ether, which have unified and elevated the world for the past 25 years, can, over a few hours on a summer day, bring it to a crashing halt.<\/p>\n Andy Greenberg<\/strong> (@a_greenberg<\/a>) is a<\/em> WIRED senior writer. This story is excerpted from his book<\/em> Sandworm<\/a>, forthcoming from Doubleday<\/em>.<\/p>\n This article appears in the September issue. Subscribe now<\/a>.<\/em><\/p>\n