Cyber Incident Victim: STB
Date:
Jun 2017
Location:
Ukraine
Summary
A cyber attack leveraging compromised updates to the M.E.Doc accounting software deployed ransomware and wiper components, including NotPetya, disrupting operations across Ukrainian government institutions, financial entities, critical infrastructure, media outlets such as STB, and commercial enterprises. The attackers exploited supply-chain vulnerabilities to propagate malicious payloads, encrypting systems and demanding Bitcoin payments, while forensic analysis revealed connections to earlier campaigns like XData and Chthonic. Evidence suggested involvement by financially motivated actors with limited ransomware development skills, potentially posing as Ukrainian speakers, though the incident exhibited characteristics consistent with nation-state affiliated activity targeting multiple sectors simultaneously.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyber attack occurred in late June 2017, primarily targeting Ukrainian organizations through a compromised software supply chain. The attack originated from malicious updates to M.E.Doc, a widely used Ukrainian accounting program. Attackers compromised the software's update mechanism to distribute malware that executed destructive payloads. The initial infection vector involved the M.E.Doc update launching a malicious DLL file (perfc.dat) via Windows system utilities. This triggered a chain of events leading to the deployment of ransomware variants including PsCrypt, XData, and NotPetya, though forensic analysis revealed NotPetya functioned primarily as data-destructive wiper malware rather than genuine ransomware.
STB television channel was among numerous Ukrainian media organizations affected during the widespread outbreak. The attack simultaneously impacted critical infrastructure sectors including government agencies (Ministry of Finance, National Police), financial institutions (Oschadbank, Ukrgasbank), transportation systems (Ukrainian Railways, Boryspil Airport), and energy companies (Naftogaz, DTEK). Attackers demanded Bitcoin ransoms through three distinct cryptocurrency addresses, with the primary NotPetya address accumulating over 4.13 BTC. Forensic investigators identified code similarities between this attack and earlier May 2017 incidents involving the Chthonic backdoor and PsCrypt ransomware, suggesting possible actor overlap. The attackers demonstrated moderate technical capability with notable limitations in ransomware implementation, while employing Ukrainian-language elements in their operations despite linguistic inconsistencies suggesting non-native authorship. The incident represented one of the first documented cases of a nation-state attack vector being repurposed by financially motivated cybercriminals through supply-chain compromise.