Cyber Incident Victim: XakNet
Date:
Jun 2017
Location:
Ukraine
Summary
A powerful cyberattack employing Petya.A ransomware targeted Ukrainian critical infrastructure, including banks, energy firms, media outlets, and government institutions, disrupting operations and demanding Bitcoin payments. The malware encrypted entire hard drive partitions via a mass email campaign and exploited vulnerabilities such as EternalBlue, spreading rapidly across networks to affect services at state banks, energy providers, airports, and even Chernobyl's radiation monitoring system. International entities including Maersk, Rosneft, and Cadbury were also compromised. Ukrainian authorities described the incident as unprecedented but asserted vital systems remained unaffected, while initial investigations suggested the attack vector involved vulnerabilities in M.E.Doc accounting software. Global cybersecurity firms noted the ransomware's unique overwriting of master boot records and advised against ransom payments due to inactive decryption channels.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a large-scale cyberattack disrupted Ukrainian critical infrastructure and spread internationally, initially detected as a mass email campaign distributing ransomware around 15:00 local time. The malware, identified as Petya.A, targeted Microsoft Windows systems by encrypting entire hard drive partitions rather than individual files, demanding $300 Bitcoin payments for decryption. Early victims included Oshchadbank state bank, which suspended client services and ATM operations, causing payment card rejections at supermarkets like ATB and transport systems including Kyiv Metro. Energy companies Dniproenergo, Zaporizhzhiaenergo, and Kyivenergo reported near-total computer encryption, while media entities such as TRK Luks (parent of 24 Kanal TV and Radio Luks) experienced broadcast blackouts. Government systems were compromised, including the Cabinet of Ministers, National Police, Cyber Police websites, and Boryspil International Airport’s operations, forcing manual passenger processing. By 17:27, additional banks—Pivdennyi, TASkombank, OTP Bank, and Ukrgazbank—confirmed infections, exacerbating financial sector disruptions.
The attack rapidly expanded beyond Ukraine, affecting Rosneft in Russia, Maersk in Denmark, WPP in the UK, and Cadbury’s Australian operations. Europol’s Executive Director acknowledged the incident as another major ransomware event, while ESET’s infection data indicated Ukraine as the primary target. Ukrainian authorities attributed initial compromises to vulnerabilities in M.E.Doc accounting software. Critical infrastructure impacts included Chornobyl Nuclear Power Plant’s radiation monitoring system switch to manual mode. The State Service of Special Communication and Information Protection asserted that state e-resources under its protection remained unaffected, though Deputy PM Pavlo Rozenko posted images of paralyzed Cabinet of Ministers computers. Cybersecurity firms Symantec and TrendMicro analyzed Petya’s master boot record encryption and confirmed $7,500 in ransom payments despite the attackers’ defunct payment email. McAfee detailed Petya’s triple propagation via EternalBlue exploit, psexec.exe, and Windows Management Instrumentation. Mitigation efforts included a workaround creating a "perfc" file in Windows directories, while Prime Minister Volodymyr Groysman declared the attack "unprecedented" but claimed vital systems were intact. International media coverage highlighted Ukraine’s official Twitter response using a "This is fine" meme, reflecting the incident’s global notoriety amid ongoing geopolitical tensions.