Cyber Incident Victim: Kyivvodokanal
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack primarily targeting Ukrainian infrastructure utilized a modified version of Petya malware, distributed through a compromised update mechanism of widely used tax accounting software. The malware, designed to cause permanent data destruction rather than facilitate ransom payments, crippled critical systems including financial institutions, energy providers, transportation networks, and telecommunications services. The incident significantly disrupted operations at Chernobyl's radiation monitoring system, government ministries, and major corporations, with collateral damage affecting multinational companies globally. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military-linked actors, citing prior patterns of cyber aggression and forensic evidence of planned infiltration through backdoors in the software supply chain. The event caused billions in damages across affected organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 cyberattack targeting Ukrainian infrastructure began on June 27 through a compromised update mechanism of the M.E.Doc tax accounting software, widely used by approximately 90% of Ukrainian businesses. Attackers infiltrated the update servers of M.E.Doc's developer, Intellect Service, as early as April or May 2017, implanting a backdoor that delivered the NotPetya malware disguised as a routine software patch. This modified ransomware exploited the EternalBlue vulnerability in unpatched Windows systems and used Mimikatz-derived techniques to harvest credentials from memory, enabling lateral movement across networks. Within hours, the malware crippled critical Ukrainian entities including government ministries, banks (Oschadbank, Ukrsotsbank), energy firms (DTEK), transportation systems (Ukrainian Railways, Kyiv Metro), and the Chernobyl Nuclear Power Plant's radiation monitoring system. Kyivvodokanal, the municipal water utility, was among the 1,500+ confirmed victims reporting operational disruptions.
The attack coincided with Ukraine's Constitution Day holiday, maximizing impact as offices were minimally staffed. NotPetya's encryption routines permanently destroyed data by overwriting files and master boot records, rendering recovery impossible despite ransom demands of $300 in Bitcoin. Ukrainian cyber police contained the outbreak by June 28 through coordinated network isolation efforts and seized M.E.Doc's servers on July 4 after discovering persistent backdoors. Forensic investigations by ESET and Cisco Talos confirmed the malware's deliberate targeting of Ukrainian infrastructure, with 80% of global infections occurring there. International collateral damage affected multinational corporations including Maersk, Merck, and Reckitt Benckiser, causing cumulative losses exceeding $10 billion. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing similarities to prior BlackEnergy and TeleBots campaigns against Ukrainian energy and financial sectors. In February 2018, the White House formally accused Russia of deploying NotPetya, emphasizing its destructive intent against Ukrainian critical infrastructure under the guise of ransomware.