Cyber Incident Victim: Naftogaz of Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
A destructive cyberattack employing modified ransomware called NotPetya targeted Ukrainian critical infrastructure through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to banks, government ministries, energy firms, and transportation systems, including radiation monitoring at Chernobyl. The malware, designed to irreversibly damage systems rather than extort payments, spread globally via corporate networks, impacting multinational companies and resulting in over $10 billion in damages. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military hackers, citing similarities to previous operations by groups linked to Russia's GRU, though Russian officials denied involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 cyberattack targeting Ukrainian organizations, commonly referred to as NotPetya, commenced on 27 June 2017 with the distribution of malware through a compromised update mechanism of the M.E.Doc tax accounting software. Developed by Intellect Service and used by approximately 90% of Ukrainian businesses, M.E.Doc’s update server delivered malicious code disguised as a routine software patch. This method enabled rapid propagation, with ESET estimating 80% of infections occurring in Ukraine. The malware, a modified variant of Petya ransomware dubbed NotPetya, leveraged the EternalBlue exploit—a vulnerability in older Windows systems patched by Microsoft in March 2017—and Mimikatz credential-harvesting tools to spread laterally across networks. Upon execution, it encrypted Master File Tables and overwrote files irreversibly, rendering data recovery impossible despite ransom demands of $300 in Bitcoin. The attack coincided with Ukraine’s Constitution Day holiday, exploiting reduced staffing levels to maximize disruption. Critical infrastructure impacts included the disabling of radiation monitoring systems at Chernobyl Nuclear Power Plant, disruptions to Boryspil International Airport, Ukrainian Railways, state banks like Oschadbank, and ministries. Over 1,500 entities reported infections to Ukrainian authorities, with additional collateral damage affecting multinational corporations including Maersk, Merck, and Reckitt Benckiser due to global network connections.
Ukrainian authorities declared the attack contained by 28 June, though forensic investigations revealed a backdoor in M.E.Doc’s systems dating to at least May 2017, indicating prolonged attacker access. On 4 July, police raided Intellect Service’s offices, seizing servers to prevent further exploitation. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), linking it to prior operations by the TeleBots and BlackEnergy groups targeting Ukrainian energy and financial sectors since 2014. International corroboration followed, with the U.S. CIA and UK Ministry of Defence formally accusing Russia in 2018. Financial losses exceeded $10 billion globally, with Merck reporting $870 million in damages, FedEx $400 million, and Maersk $300 million. Reckitt Benckiser cited a 2% quarterly sales decline ($130 million) due to supply chain disruptions. While ransom payments were minimal—approximately $10,000 collected—subsequent Tor network messages demanded exorbitant sums, though decryption proved impossible due to the malware’s destructive design. The incident underscored systemic vulnerabilities in software supply chains and catalyzed enhanced cybersecurity cooperation between Ukraine and NATO.