I finally got around to reading the excellent Wired article on NotPetya [Aug 2018], The Untold Story of NotPetya, the Most Devastating Cyberattack in History
One of the items that stood out for me, relative to Maersk’s infrastructure was this one :
Early in the operation, the IT staffers rebuilding Maersk’s network came to a sickening realization. They had located backups of almost all of Maersk’s individual servers, dating from between three and seven days prior to NotPetya’s onset. But no one could find a backup for one crucial layer of the company’s network: its domain controllers, the servers that function as a detailed map of Maersk’s network and set the basic rules that determine which users are allowed access to which systems.
Maersk’s 150 or so domain controllers were programmed to sync their data with one another, so that, in theory, any of them could function as a backup for all the others. But that decentralized backup strategy hadn’t accounted for one scenario: where every domain controller is wiped simultaneously. “If we can’t recover our domain controllers,” a Maersk IT staffer remembers thinking, “we can’t recover anything.”
I can remember having this conversation with Microsoft in 2003 — how do we backup and recover Active Directory? They looked at me like I had two heads. “Why would you want to do that, it’s replicated to multiple DCs?”
Over time, that view has obviously changed. A couple of links for further reading: