Cyber Incident Victim: A.P. Moller - Maersk Group
Date:
Jun 2017
Location:
Ukraine
Summary
A global ransomware attack severely disrupted operations at a major shipping company, impacting port terminals and forcing manual cargo handling in India while shutting down facilities in the US and Netherlands. The Petya malware exploited Windows vulnerabilities via EternalBlue, demanding cryptocurrency payments to unlock systems, and spread rapidly from Europe to Asia, Australia, and the Americas. Beyond maritime logistics, the incident affected manufacturers, energy firms, government systems, and food production—including halted chocolate factory operations—demonstrating broad cross-sector disruption. Initial infections centered on Ukrainian and Russian entities, with over 2,000 North American systems compromised, though some firms mitigated impacts through backup protocols. The attack followed similar ransomware tactics to WannaCry, highlighting systemic vulnerabilities in critical infrastructure worldwide.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The June 2017 cyber incident affecting A.P. Moller-Maersk began as part of a global ransomware campaign initially observed in Ukraine and Russia on June 27. The attack, attributed to the Petya virus, rapidly propagated across Europe before reaching Asia, Australia, and the United States within 24 hours. Petya exploited the EternalBlue vulnerability in Microsoft Windows operating systems—the same weakness leveraged by the WannaCry ransomware weeks earlier—and appended a fake Microsoft digital signature to bypass security measures. Initial targets included Ukrainian government systems, the Chernobyl nuclear facility's radiation monitoring, and over 80 organizations across Russia and Ukraine. Critical infrastructure operators were particularly vulnerable due to delays in implementing security patches for legacy systems.
Maersk's infrastructure sustained severe operational disruptions starting June 27, with its APM Terminals division experiencing system failures at multiple global ports. The Jawaharlal Nehru Port Trust terminal near Mumbai—India's largest container port—could not process automated cargo operations, forcing manual clearance procedures. APM Terminals at the Port of New York and New Jersey closed entirely due to system impacts, while Rotterdam's terminals—Europe's largest harbor—faced similar disruptions. Maersk's internal systems, including online booking tools, became inoperable, affecting shipping logistics worldwide. Concurrently, the attack impacted Rosneft's operations in Russia, halted production at Mondelez International's Cadbury factory in Tasmania, and compromised systems at Reckitt Benckiser and Beiersdorf in India. Merck & Co, French manufacturer Saint-Gobain, and Ukrainian entities including Nova Poshta and power companies Kyivenergo and Ukrenergo reported infections. Europol activated emergency response protocols, while affected organizations like law firm DLA Piper and advertiser WPP preemptively shut down systems. Maersk implemented backup production management systems to mitigate damage, though port operations remained impaired for days. The ransomware demanded $300 per infected computer in cryptocurrency, though Kaspersky Lab confirmed only 2,000 compromised systems by midday June 27, with no evidence of large-scale payments resolving the disruptions.