NotPetya 2017: Collateral Damage at Global Scale

January 8, 2025

By Frank Kahle

What Happened

Ukrainian and international organizations face cyber threats routinely. On June 27, 2017, at 10:30 a.m. GMT, a piece of legitimate accounting software released a routine update. This was not a coincidence.

Months earlier, Russian military intelligence (GRU Unit 74455, known as Sandworm) had compromised Linkos Group's development infrastructure for M.E.Doc—the tax accounting software used by the majority of Ukrainian businesses to file government returns. The malware was injected into the update system and lay dormant for at least six weeks. Attackers timed the strike for June 27—the day before Ukraine's Constitution Day—when holiday rotations would reduce active monitoring.

When M.E.Doc pushed the update, it installed NotPetya across Ukrainian networks. But NotPetya was not ransomware seeking payment. It was a wiper—a weapon designed to destroy. Using EternalBlue, an NSA exploit leaked by Shadow Brokers months earlier, NotPetya laterally moved through networks using the Server Message Block protocol, encrypting files to the point of destruction and overwriting Master Boot Records to ensure systems could not restart.

The malware spread globally within hours. It did not discriminate. Companies with no connection to Ukraine, no operations there, and no presence in any conflict zone were wiped.

The Maersk Crisis: A Case Study in Collateral Damage

Maersk operates 600 office locations and terminal facilities across 76 ports. On the morning of June 27, the company's systems began failing simultaneously. Within hours, the shipping giant could not book cargo, track containers, print bills of lading, or communicate with terminal operators. The global supply chain—for food, pharmaceuticals, electronics, clothing—froze.

Maersk had no operations in Ukraine. No employees there. No target on its back. It was collateral damage in a foreign government's conflict, selected purely because its businesses happened to use the same piece of accounting software that Ukrainian tax authorities use.

The Ghana Domain Controller: Surviving by Accident, Not by Plan

Maersk's IT infrastructure was built as most large enterprises build theirs: highly connected, replicated, and dependent on Active Directory domain controllers (DCs) serving authentication across the globe. When NotPetya spread, it targeted domain controllers everywhere—encrypting them, destroying them, rendering the entire authentication system unusable.

Except in Ghana.

A power outage in Maersk's Ghana office had knocked one domain controller offline days or weeks before the attack. It sat isolated, in a server room powered down, receiving no network traffic and no malware. When the attack struck, that single machine—sitting unnoticed in West Africa—contained the only intact copy of Maersk's Active Directory database.

The recovery effort depended on flying the hard drive from Ghana to Nigeria, then to the United Kingdom, where IT teams used it to rebuild the company's digital backbone. This machine saved Maersk's organization from a complete wipeout. But this was not strategy. This was luck.

The Ghana domain controller story haunts enterprise architects. Your entire ability to restore identity and access across your organization might depend on random infrastructure happening to be offline at the right moment. That is not a control. That is not a plan. That is a warning.

The Global Toll

Maersk's $300 million loss was the most visible. But NotPetya's reach was industrial:

• Merck (pharmaceutical): $870 million impact, triggering a three-year insurance battle.
• FedEx/TNT Express (European logistics): $400 million in losses.
• Mondelez (global snacking and confectionery): $188 million, 1,700 servers destroyed, 24,000 laptops wiped.
• Others: Hospitals halted surgeries. Utilities lost operational visibility. Chemical plants went dark. Airport operations degraded.

The White House assessed total global damages at $10 billion—making NotPetya the costliest cyber incident in history. And it was not an attack on critical infrastructure. It was collateral damage from a state actor's targeted regional operation.

The Insurance Reckoning: Why "Acts of War" Matter When You're Not at War

Mondelez International purchased comprehensive cyber insurance coverage through Zurich American. The policy promised coverage for loss resulting from destruction or corruption of computer data and software. When NotPetya destroyed 1,700 of the company's servers and 24,000 laptops, Mondelez filed a claim for over $100 million in damages.

Zurich denied it.

The insurer invoked a standard exclusion in most commercial policies: coverage does not apply to losses from "hostile or warlike action conducted by any government or sovereign power." Since the U.S. and allied governments had publicly attributed NotPetya to Russia's GRU, Zurich argued the attack fell outside coverage as an "act of war."

This logic created an impossible situation for Mondelez, Merck, and others. They purchased insurance to protect against cyber risk. When a nation-state weapon struck them, insurers claimed the damage was not "cyber risk"—it was "military risk," and therefore excluded. The companies, however, were not militaries. They had not declared war. They were civilians caught in crossfire.

Merck pursued litigation aggressively. In 2021, a New Jersey court sided with Merck, ruling that the policy's "act of war" exclusion referred only to official state military operations between governments, not cyber attacks attributed to state actors. The court awarded Merck a $1.4 billion settlement. Mondelez and Zurich settled confidentially in 2022, leaving no legal precedent—and leaving every other organization uncertain whether their insurance would actually cover nation-state cyber attacks.

What NotPetya Exposed

First: Supply chain vulnerability to third-party targeting. Maersk was not targeted. Its customers in Ukraine used M.E.Doc. So did other Maersk customers. So did thousands of other companies. The attacker did not care. The weapon spread indiscriminately. Your risk model probably assumes you are targeted for a reason. NotPetya teaches that you may be destroyed for no reason at all—because your vendor, or their vendor, or a vendor's customer, was the actual target. This is collateral damage risk. It is uninsurable under traditional models. And it is accelerating.

Second: Domain controller resilience is not optional. When NotPetya attacked Maersk, it sought out Active Directory domain controllers—the heart of any enterprise identity system. Most organizations keep domain controllers distributed geographically but interconnected. That connectivity made them all vulnerable simultaneously. Maersk's Ghana server survived because it was offline by accident. How many organizations have a single offline domain controller held in reserve? How many have tested recovery from total AD destruction without relying on recent backups? How many understand that recovering AD is not about restoring data—it's about verifying that the restored data has not been poisoned by months of undetected replication from compromised domain controllers?

Third: Insurance "war exclusions" create a coverage gap for state-sponsored attacks. Cyber insurance policies typically exclude "acts of war." But modern cyber warfare is not declarations and treaties. It is espionage, it is coercion, it is infrastructure sabotage conducted by military units without formal declarations. The NotPetya aftermath exposed that most organizations' insurance policies contain a hidden assumption: state-sponsored attacks won't happen to you. That assumption is wrong. And when it is violated, insurance disappears.

Fourth: Recovery speed is not recoverable—it is a capability you build beforehand, or you do not have. Maersk mobilized 2,000 personnel to rebuild 45,000 PCs and 4,000 servers in ten days. Most organizations could not do this. Most do not have spare hardware in inventory. Most do not have recovery procedures documented. Most do not have the logistical capability to coordinate thousands of reinstalls across hundreds of locations. When the attack happened, Maersk discovered it had this capability (or built it out of necessity). For other companies, the recovery took months or years. The difference was not luck—it was infrastructure investment and rehearsal.

The Resilience Lens: What Boards Should Ask

1. Do we know which third-party vendors could cause us collateral damage if they are compromised?

Not whether we use vulnerable vendors. But whether we have mapped the vendors that, if attacked, could impact us even if we are not the target. M.E.Doc was not a core vendor for Maersk. It was an accounting tool used in one region. Yet it destroyed the company's global operations. Do you know which software updates, cloud services, or supply chain partners could create cascading failures in your organization?

2. Can we actually recover our identity and access systems without relying on external connectivity or cloud services?

Maersk's Ghana domain controller was valuable because it could be restored offline, independently. Most organizations' domain controllers are cloud-synced or distributed in ways that make offline recovery impossible. Can you restore your entire directory from a single server isolated from the network? Can you bootstrap authentication without depending on services that may themselves be compromised?

3. What does our cyber insurance actually cover, and at what point do "act of war" exclusions apply?

Get your policy reviewed by counsel who understands cyber. Not cyber lawyers who understand policy. Understand exactly what events trigger exclusions. Understand who decides whether an attack is an "act of war." Understand whether you are covered for infrastructure losses when a vendor is the initial target. And understand that the answer may be: "You are not covered, and you did not know it until you filed a claim."

4. Do we have the logistical capability to rebuild at Maersk's scale in Maersk's timeframe?

Maersk rebuilt 45,000 devices in ten days. This required spare hardware, documented recovery procedures, trained personnel, and coordination across global locations. Most organizations have not invested at this scale. The question is not: "Do we have a disaster recovery plan?" It is: "Can we actually execute it, at speed, across distributed operations, without external IT vendor support that may also be under attack?"

5. Have we rehearsed recovery from total domain destruction, not just data loss?

Recovering data is straightforward if you have backups. Recovering domain controllers is fundamentally different. You must detect that they are poisoned before you restore them. You must have a clean source to restore from. You must rebuild trust relationships across the forest. And you must do this while your organization cannot authenticate. Have you practiced this scenario? Do your IT teams understand what happens after they restore the first domain controller?

Conclusion: NotPetya as a Prophecy

NotPetya happened eight years ago. Its lessons have not been absorbed at scale. Most organizations still:

• Have not mapped third-party risk from vendors they do not directly depend on.
• Have not tested recovery from complete AD destruction.
• Believe insurance will cover them if a nation-state attacks them.
• Have not invested in logistical capability to rebuild at speed.

NotPetya was not anomalous. It was a preview. State-sponsored cyber operations are now standard. Attribution is now public. Insurance exclusions are now tested in litigation. And most organizations are still building resilience as if attacks are rare, targeted, and easily contained.

The boards and executives who understand this are already reshaping their risk models. They are not asking: "How do we prevent attacks?" They are asking: "If a weapon built for someone else destroys us, can we recover? Can we recover at scale? Can we recover without insurance helping us? And can we recover before our customers and regulators have lost trust?"

Those questions start with a recognition that collateral damage is your risk model now.