LLMpediaThe first transparent, open encyclopedia generated by LLMs

Maersk cyberattack

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: International Maritime Organization Hop 5
Expansion Funnel Raw 77 → Dedup 10 → NER 8 → Enqueued 2
1. Extracted77
2. After dedup10 (None)
3. After NER8 (None)
Rejected: 2 (not NE: 2)
4. Enqueued2 (None)
Similarity rejected: 6
Maersk cyberattack
NameA.P. Moller–Maersk
IndustryShipping and logistics
Founded1904
HeadquartersCopenhagen
Notable incident2017 cyberattack

Maersk cyberattack The 2017 cyberattack on A.P. Moller–Maersk was a major ransomware and malware incident that disrupted container shipping, oil and gas, and terminal operations across multiple countries. The event affected global trade routes, port operations, and information technology systems, prompting coordinated responses from firms, national agencies, and international organizations. It remains a widely studied case in cybersecurity, supply chain resilience, and corporate crisis management.

Background

In 2017 A.P. Moller–Maersk operated global container shipping lines, oil and gas businesses, and terminal services, linking hubs such as Port of Rotterdam, Port of Singapore, and Port of Los Angeles. Maersk's corporate structure connected entities like Maersk Line, A.P. Moller Holding, and affiliated terminals managed under brands interacting with companies such as IBM, SAP SE, and Microsoft. The maritime logistics environment had prior incidents including cyber intrusions affecting COSCO Shipping and port systems that raised concerns among stakeholders like International Maritime Organization and World Trade Organization. National cybersecurity centers including United States Cyber Command, National Cyber Security Centre (United Kingdom), and Danish Defence Intelligence Service were monitoring threats from hacking groups with links to state actors such as Fancy Bear and Lazarus Group while cybersecurity firms like Kaspersky Lab, Symantec, and FireEye published threat intelligence on ransomware families including WannaCry and NotPetya.

Timeline of the Attack

On a June 2017 day operations were suddenly impaired following a rapid malware outbreak that resembled destructive ransomware activity previously attributed to sophisticated actors. Initial indicators included widespread workstation encryption and loss of domain controller functionality across facilities in regions including Europe, North America, Asia, and Africa, affecting terminals at locations like Port of Salalah and depots near Port of Gothenburg. Incident response teams from internal IT, third-party vendors such as Akamai Technologies, and consultants from Deloitte and PwC worked alongside national CERTs including Computer Emergency Response Team/Coordination Center (CERT/CC) to isolate infected segments. Over subsequent days manual operations for container handling, invoicing, and vessel departures were implemented while ports coordinated with state actors like UK National Crime Agency and United States Department of Homeland Security. Restoration involved rebuilding servers, reinstalling enterprise resource planning systems such as SAP ERP, and reconnecting to global booking platforms.

Impact on Maersk Operations and Global Supply Chain

The incident halted digital workflows for booking, container tracking, and terminal orchestration, disrupting sailings on trade lanes like Asia–Europe trade route and affecting customers including retailers such as IKEA and manufacturers like Siemens. Port congestion, delayed vessel arrivals at chokepoints such as Suez Canal diversion routes, and refrigerated cargo risks impacted perishable supply chains for companies like Nestlé and Unilever. Intermodal connections with railroad operators like Union Pacific Railroad and trucking firms around hubs including Hamburg experienced cascading delays, while insurers including Lloyd's of London and finance partners such as HSBC assessed claims and liquidity effects. The broader effect rippled to indices tracking trade and logistics such as Baltic Dry Index and influenced discussions at forums like World Economic Forum.

Response and Recovery Efforts

Maersk invoked business continuity plans and worked with technology providers including Microsoft Azure engineers, IBM Security specialists, and cybersecurity firms such as Mandiant to perform containment, eradication, and system restoration. Coordination occurred with law enforcement agencies like FBI and national CERTs, and international organizations including INTERPOL facilitated intelligence sharing. Recovery steps entailed rebuilding domain controllers, restoring mail services, and reconfiguring terminal operating systems while redirecting vessels and enabling manual cargo handling. Communications involved corporate leadership and boards with stakeholders such as shareholders represented by entities like A.P. Moller Holding A/S and customers communicated via shipping associations like International Chamber of Shipping.

Investigation and Attribution

Technical analysis by security vendors and governmental actors examined indicators of compromise, malware samples, and kill-switch behavior, comparing artifacts to known tooling used by groups such as Sandworm (Hacker Group) and Lazarus Group, and to prior incidents like the NotPetya cyberattack. Digital forensics explored code similarities, compile timestamps, and command-and-control infrastructure overlapping with campaigns linked to state-sponsored units allegedly associated with nation-states including Russian Federation and North Korea. Attribution debates involved agencies like National Security Agency and private firms like CrowdStrike, each weighing geopolitical context, motives, and capability in published assessments and testimonies to legislative bodies such as United States Congress.

Maersk reported significant financial losses documented in corporate filings with regulators such as NASDAQ Copenhagen and accountants referencing standards from International Financial Reporting Standards. Legal exposure included commercial claims from customers and scrutiny under data protection frameworks including General Data Protection Regulation for affected EU operations. Insurance coverage under marine and cyber policies with underwriters like Aon and Marsh & McLennan led to complex claim resolutions, while regulators in jurisdictions including Denmark and United States Securities and Exchange Commission examined disclosure practices. Industry groups such as BIMCO and International Association of Ports and Harbors updated guidance for cyber risk in maritime contracts and port security.

Lessons Learned and Cybersecurity Measures

Post-incident analyses emphasized segmentation of operational technology and information technology, enhanced patch management for systems from vendors like Windows Server and firmware providers, and robust incident response playbooks informed by standards such as NIST Cybersecurity Framework and guidance from ENISA. Investments in network monitoring by vendors like Splunk and endpoint protection from firms such as CrowdStrike became priorities, as did tabletop exercises with partners including Ports of Los Angeles and Long Beach. The case influenced corporate governance best practices promoted by organizations like ISO and led to increased public-private collaboration involving bodies such as European Union Agency for Cybersecurity.

Category:2017 cyberattacks