Microsoft cut off entirety of Ukraine from its network during NotPetya attacks

CISO Bret Arsenault says it was one of the worst episodes during his 10-year tenure

Microsoft was forced to disconnect the entirety of Ukraine from its network in order to mitigate the effects of the 2017 NotPetya ransomware attack, it has emerged.

Microsoft CISO Bret Arsenault revealed on Monday that the company "had seconds to make the decision" after being alerted that one of its vendor's devices had been infected by the ransomware back in June 2017.

NotPetya, a self-propagating strain of ransomware that masqueraded as the Petya virus, spread across major European businesses, encrypting data and destroying boot records to render systems unusable. This particularly vicious strain used the EternalBlue exploit leaked from the NSA, which was also responsible for the WannaCry attack just months prior.

Speaking at Microsoft Ignite in Orlando, Arsenault said the episode remains one of the worst during his 10-year tenure.

Advertisement - Article continues below
Advertisement - Article continues below

"June 27th 2017 at 4:13am," he said. "My phone went off, and I got a notice that one of our vendor's devices in Ukraine had been infected. This was right after WannaCry and what was known as Petya. We recognised right away that this was a problem, and we were worried about the infection spreading - this is what became known as NotPetya, which was vicious ransomware.

"We had seconds to make the decision, and so we cut off all of Ukraine from our network to limit any kind of impact that might happen. As you can imagine, June 27th is fiscal close, so anytime you mess with the network infrastructure... you put that at risk."

"That's the day that I learned the job is about choices," he added. "It's a difference between bad choices and worse choices - and I think I likely just made a bad choice."

Arsenault also recalled a similar split-second decision prompted by Hurricane Maria, the deadly Category 5 hurricane that devastated many parts of Dominica, the US Virgin Islands, and, most applicable to Microsoft, Puerto Rico, which serves as a major processing hub for the company.

"Many people don't know that we have about 365 people there (Puerto Rico)... which is our first priority, but also run 13 critical business processes there. So we did a tabletop exercise - I don't know how many people know how to fly 8,000 gallons of fuel into three feet of water, but it's a pretty fun exercise to go through."

Responding to a question on how he stays positive, the CISO of one of the most targeted companies in the world admitted that it has become harder over the years.

Advertisement - Article continues below

"I try to smile. I've been doing this job for ten years, and I think when I took it over I started sleeping like a baby... I (now) wake up at two in the morning crying every night," he joked.

"But I am positive, I think some of the tools we saw (at Ignite) are amazing... they've reduced my time to resolve by up to 50% with no increase in headcount, and most importantly, the signal you have and the telemetry, combined with the artificial intelligence and machine learning that you use, is really what differentiates your ability relative to the bad guys.

"For the first time that I can remember in the 20 years I've been in this space and the ten years in this job, I believe that the defenders and the good guys actually have the advantage."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


Microsoft Azure

Meet Azure Arc, a platform to simplify deployment management

4 Nov 2019

How can you protect your business from crypto-ransomware?

4 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020