Cyber Incident Victim: Ministry of Finance of Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
A destructive cyberattack employing the NotPetya malware, masquerading as ransomware but designed to cause irreversible damage, targeted Ukrainian government entities including the Ministry of Finance through a compromised update mechanism of the widely used MeDoc tax accounting software. The attack crippled critical infrastructure such as banks, energy firms, media outlets, and radiation monitoring systems at Chernobyl, while also spreading globally to multinational corporations, causing over $10 billion in damages. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military hackers (GRU-linked Sandworm group), citing prior compromises of Ukrainian infrastructure and the exploitation of EternalBlue and Mimikatz vulnerabilities to maximize disruption during a national holiday period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 cyberattack targeting Ukrainian entities, including government ministries such as the Ministry of Finance, began on June 27 with the distribution of the NotPetya malware through a compromised update mechanism of the widely used MeDoc tax accounting software. MeDoc, installed on approximately 1 million computers in Ukraine and utilized by 90% of domestic firms, served as the primary intrusion vector. Attackers infiltrated MeDoc’s update servers as early as April or May 2017, embedding malicious code that propagated NotPetya across systems during routine software updates. The malware exploited the EternalBlue vulnerability in unpatched Windows systems and leveraged Mimikatz-derived techniques to harvest credentials from memory, enabling lateral movement within networks. Upon execution, NotPetya encrypted Master File Tables and overwrote files irreversibly, rendering data recovery impossible despite ransom demands of $300 in Bitcoin. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption while government offices were minimally staffed.
Ukrainian critical infrastructure suffered extensive damage: the radiation monitoring system at Chernobyl Nuclear Power Plant was disabled, while ministries, banks, airports, and energy companies experienced operational paralysis. Over 1,500 entities reported impacts domestically, including State Savings Bank of Ukraine and Ukrainian Railways. The malware spread globally via multinational corporate networks, affecting companies like Maersk, Merck, and Reckitt Benckiser, with total damages exceeding $10 billion. Ukrainian authorities halted the attack’s spread by June 28 through coordinated cybersecurity efforts. Subsequent forensic analysis revealed backdoors in MeDoc’s systems, prompting a July 4 police raid on its developer, Intellect Service, whose servers were seized. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing similarities to prior cyber operations like the 2016 Kyiv power grid outage. International corroboration emerged in 2018, with the U.S. and UK governments formally accusing Russia of deploying NotPetya as part of a disruptive campaign against Ukraine. Despite Russian denials, evidence pointed to the Telebots hacking group, linked to GRU, as the perpetrator.