Cyber Incident Victim: Korrespondent.net
Date:
Jun 2017
Location:
Ukraine
Summary
A destructive cyberattack utilizing the NotPetya malware, masquerading as ransomware but designed to cause irreversible damage, targeted Ukrainian organizations through a compromised update mechanism of widely used tax accounting software. The attack crippled critical infrastructure including banks, government ministries, energy firms, and transportation systems, while also spreading globally to multinational corporations through interconnected networks. Primary impacts included permanent data destruction, operational disruptions at facilities like the Chernobyl Nuclear Power Plant, and billions in financial losses across affected entities. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military actors, citing similarities to prior operations by groups linked to Russian intelligence services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On June 27, 2017, a large-scale cyberattack utilizing modified Petya malware, later termed NotPetya or Nyetna, began targeting Ukrainian organizations through compromised updates of the M.E.Doc tax accounting software. The malware was distributed via the automatic update mechanism of M.E.Doc, a critical financial software used by approximately 90% of Ukrainian businesses and installed on an estimated 1 million computers nationwide. Security researchers identified that attackers had implanted a backdoor in M.E.Doc's update servers as early as April or May 2017, enabling the malicious payload delivery. NotPetya employed multiple propagation methods, including the EternalBlue exploit targeting unpatched Windows systems and Mimikatz-derived credential theft tools to spread laterally across networks. Upon execution, it overwrote critical system files and master boot records while masquerading as ransomware with a $300 Bitcoin payment demand, though decryption was impossible due to permanent file destruction.
The attack caused widespread disruption across Ukraine's critical infrastructure, affecting government ministries, banks including Oshchadbank and State Savings Bank, energy firms like UkrGasVydobuvannya, transportation systems including Kyiv Metro and Boryspil International Airport, and media outlets such as STB and ICTV television channels. Chernobyl Nuclear Power Plant's radiation monitoring systems were forced offline, requiring manual measurements. Despite Ukraine constituting 80% of infections, global multinationals with Ukrainian operations including Merck & Co., Maersk, FedEx's TNT Express, Reckitt Benckiser, and Saint-Gobain suffered significant operational disruptions, with total damages later estimated at over $10 billion. Ukrainian authorities declared the attack contained by June 28 through cybersecurity interventions, though subsequent forensic analysis revealed persistent backdoors in M.E.Doc systems, prompting a July 4 police raid to seize company servers. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing similarities to prior TeleBots and BlackEnergy campaigns targeting Ukrainian infrastructure, while international intelligence agencies including the U.S. CIA and UK Ministry of Defence later confirmed state-sponsored Russian involvement.