The Cyber Kill Chain in Practice


Maerk is a Danish-based cargo supply shipment company that is responsible for one-fifth of global freight operations. In 2017, Maersk’s Ukraine subsidiary was infected with a malware that caused over 200 million dollars in financial impact, and over 10 billion dollars in global damages. The malware is known as NotPetya and is said to be attributed to the Russian hacker group called Sandworm. Russia denies its involvement with the cyber-attack but the behavior of the malware resembles previous tactics used by Sandworm. Previous cyber-attacks that have been linked to Sandworm involves using fake ransomware. To elaborate, the group would deploy an exploit that resembles a ransomware and would ask for bitcoin in exchange for the key used for decryption. Unbeknownst to the target is the fact that there is no key that can unlock their resources. Even after a target pays the ransom, their system is still damaged beyond repair.
Prior to the release of NotPetya, Ukraine has been the victim of a cyber-attacks that affected power grids, government IT-resources, and network operations across the country. Cyber warfare can now be joined with traditional warfare to provide hybrid effects within a battlefield. Attackers employ cyber weapons to target adversaries, while remaining anonymous. Lockheed Martin developed the Cyber Kill Chain as a systematic approach to the lifecycle of a cyber attack. The Cyber Kill Chain is a seven-step process that can be used to perform a post-mortem analysis of a cyber attack. To better explore the lifecycle of NotPetya, the Cyber Kill Chain will be used for analysis.

Step 1: Reconnaissance

The adversary that affected Maerk conducted reconnaissance of their target environment prior to the launch of NotPetya. The adversary decided to exploit the trust relationship between Maersk and M.E Doc. M.E Doc is a software vendor that provides accounting software to the country of Ukraine. The accounting system is mandated by the Ukrainian government and is relied upon by a large population of Ukrainian businesses. As attackers perform reconnaissance of their target, they also search for threat vectors outside the target’s organization. The adversary performed reconnaissance of M.E Doc’s computing environment months prior to the launch of NotPetya. The results from the reconnaissance allowed the adversary to devise their cyber weapon.

Step 2: Weaponization

Once reconnaissance of the target environment is completed, the adversary can now begin to craft his or her exploit. M.E Doc was the threat agent of the NotPetya malware. The adversary was able to infect the software code of M.E Doc with a series of backdoors. These backdoors allowed for remote code execution from the attacker. The attackers were able to infect the update server of M.E Doc after discovering vulnerabilities within its environment.

Step 3: Delivery

The adversary delivered its payload through the update server of M.E Doc. Instead of receiving software updates, the clients of M.E Doc received the NotPetya virus. The attackers used the EternalBlue vulnerability to deliver its payload to other connected systems. EternalBlue exploits a vulnerability within the server message block service. The adversary exploited interconnected systems, regardless of not having the M.E Doc software installed. Once delivered, the code transverses to infect other systems with an open server message block protocol port.

Step 4: Exploitation

The attackers were able to infect the update server of M.E Doc with instructions to propagate its malicious code, instead of pushing out its software updates to M.E Doc’s clients. This exploitation also exploits the trust relationships between M.E Doc and its clients.

Step 5: Installation

NotPetya was initially installed in target systems that require automatic updates from M.E Doc’s update server. Once installed, the virus acts as a cryptolocker, locking the user out of his or her system and demanding a ransom in the form of bitcoin. As the infected resource is degraded, the malware transverses to neighboring computers and servers.

Step 6: Command and Control

Once M.E Doc’s backdoor vulnerability was exploited, adversary would connect to the affected system through its command and control server. The command and control capabilities within the code of NotPetya included the ability to launch its exploit, open a command shell, write data to specific files, and execute commands masquerading as a known user. These instructions could be executed remotely by the adversary.

Step 7: Actions on the Objective

The payload of NotPetya is a malware that affects the file systems residing in Windows environments. Once infected, NotPetya encrypts the master file table within a system, steals user credentials, and pivots to other computers residing within the affected network through the server message block port. Unlike most ransomware, even if a user pays the bounty, the effects of NotPetya will not be reversed.


As technological advances continue to connect us to remote resources, organizations accept the risks associated with an interconnected world. Cyber warfare has evolved to introduce kinetic effects that can degrade and disrupt normal operations of servers. These kinetic effects are most destructive to critical resources such as power grids, water treatment facilities, and poses a threat to global supply chains. The actors behind NotPetya most likely spent the majority of time conducting reconnaissance on potential threat agents. This is evident by the large-scale effects of the cryptovirus. Because the attack methodology closely resembles that of WannaCry, it seems like the attack was meant to infect as many systems as possible with no defined end goal. The attackers were able to overlap some steps within the Cyber Kill Chain. To elaborate, steps five through seven of the Cyber Kill Chain all occur in seconds within an infected environment. Once the NotPetya payload was delivered, the actions on objective was conducted.
The speed of propagation of NotPetya is the fastest amongst all previously deployed malware. Due to its speed and devastating effects, Craig Williams, director of outreach at Cisco’s Talos division states that “by the second you saw it, your data center was already gone.” There was not much that Maersk or other victims could have done once the attack has reached step five within the Cyber Kill Chain.
A lesson learned from NotPetya is even is your systems are protected, attackers can exploit your affiliates and use your trust relationship to gain access to your systems. The best defense for your organization is to align your layered defense strategy to mitigate the impact of a compromised affiliate. Additionally, maintain an effective patching schedule and close unused ports to minimize your threat exposure. Given the speed of propagation of NotPetya, we must defend ourselves against every step within the Cyber Kill Chain. As our adversaries construct cyber weapons that can cause significant fiscal impacts, you must account for every avenue of approach that an attacker may utilize to gain access to your systems. I recommend ensuring that organizations that you conduct business with are maintaining operational security. Do not expose your systems to compromised environments. Even with a secure architecture, your adversaries may gain access by first infecting your trusted affiliates.

Share This Post:

Share on linkedin
Share on facebook

About the Author

Victor Nzeata is the Chief Executive Officer of Cyber Brain Academy and has held previous roles such as electrical engineer, software engineer, cyber threat emulation lead, and information systems security manager. In 2016, he became the US Army Reserve’s first graduate from the US Army Cyber School of Excellence and is the first Army Cyber Operations Officer with experience leading electronic warfare missions and combined arms operations in the United States, Asia and the Middle East. Victor is also an adjunct professor at the University of San Diego, where teaches Secure Systems Architecture to its graduate-level students.

Victor received a bachelor’s degree in computer engineering technology from Purdue University, a master’s degree in cyber security operations and leadership from the University of San Diego and is a Ph.D. candidate in Information Security. Victor holds active CompTIA Security+, Certified Ethical Hacker, Certified Information Systems Professional, Certified Data Privacy Solutions Engineer, and Navy Qualified Validator Lvl 3 certifications.

Stay Connected

More Updates

You’re certified, Now what?

Congratulation! You’ve passed your IT certification exam. Here are three considerations for your journey as a certified IT professional. Increased Responsibilities Your first time seeing your credentials after your last name is a rewarding feeling.

Read More »

Top 5 IT Certifications for 2021

Whether you’re attaining an IT certification to advance in your career, join a community of professionals, or to boost your credibility, here are the top five IT certifications you need for 2021. Certified Ethical Hacker

Read More »

The Cyber Kill Chain in Practice

Introduction Maerk is a Danish-based cargo supply shipment company that is responsible for one-fifth of global freight operations. In 2017, Maersk’s Ukraine subsidiary was infected with a malware that caused over 200 million dollars in

Read More »

The Global Cyber Security Crisis

A National Crisis The global shortage of cyber security professionals is a national crisis. According to a recent survey conducted by (ISC)², “60% say their companies are at moderate or extreme risk of cybersecurity attacks

Read More »

3 Most Dangerous Hacking Organizations

When planning defensive cyber operations or anticipating a cyber threat, by understanding your adversary you can better align your cyber defenses. #3: Criminal Hacking Organizations Criminal hackers are your everyday cyber criminals that target vulnerable

Read More »