NotPetya costs FedEx $300m, now weighs up cyber insurance

The NotPetya malware attack that hit FedEx's European business, TNT Express, cost it $300 million, the parcel delivery giant has revealed.

FedEx confirmed the financial impact of the June 27 NotPetya cyberattack in its first quarter earnings report. Most of the $300m was due to lost revenue, though remediation and response also drove up costs. 

FedEx had previously warned the cyberattack would materially impact its finances, and recently said it did not have cyber insurance to cover the incident. 

FedEx's US operation was unscathed by the attack, however it crippled large parts of its TNT Express European operations. Damaged IT systems also caused widespread service and invoicing delays at TNT Express. 

On a call with analysts, Alan Graf, FedEx’s executive vice president and CFO, said he'd examined the cyber insurance market previously, but concluded it wasn’t mature enough. In light of NotPetya's impact on TNT Express, it will now re-assess cyber security insurance, he said.

“For a long period of time it was very thin, didn’t cover a lot of things that a company would look to cover, much more related to personal information and things of that note. However, as a result of this attack, of course, we are re-examining where the market is, we think it’s getting deeper and we are -- I’m going to go out and see if there’s something that we can develop that would add protection for our company at a reasonable price,” said Graf, according to a Seeking Alpha transcript.   

Graf said the cyber attack currently has a bigger impact on TNT Express' international shipments, while its intra-European business had recovered more quickly. 

TNT revenues remain below what it was earning prior to the attack.

Rob Carter, FedEx’s CIO, confirmed TNT systems were infected through the same vector as other NotPetya victims, including Maersk and Mondalez International, namely a compromised update to MEDocs, an accounting software package widely used by businesses with operations in Ukraine. 

“Like the attack experienced by many other global companies, the attack on the TNT systems originated in Ukraine from specific tax preparation software,” said Carter. 

“This was not an ordinary cyberattack. We believe that this attack was the result of the nation state targeting Ukraine and companies that do business there. It is widely believe that these were weaponized cyber tools that were stolen from the U.S. Government.”

NotPetya malware employed two exploits, called EternalBlue and EternalRomance, that were developed by the NSA and leaked by hacking group ShadowBrokers in April. 

Microsoft had issued patches for both exploits in March, but many businesses had not updated systems. Microsoft claims that Windows 10 defenses can defeat or mitigate both exploits, which worked against Windows 7 systems.  

FedEx expects to recover key "customer specific solutions and systems” by the end of September, Carter said. It’s also accelerating a project to replace TNT Express' legacy systems with FedEx more modern technology platforms. 

“We’ve hardened all of TNT servers and workstations, introduced additional network security controls, rebuilt Active Directory and have started enhancing the segmentation of the TNT network,” said Carter.