Cyber Incident Victim: KredoBank
Date:
Jun 2017
Location:
Ukraine
Summary
A cyber attack targeting Ukrainian entities, including Kredobank, leveraged a compromised update of the M.E.Doc accounting software to distribute destructive malware, including NotPetya and ransomware variants such as XData and PsCrypt. The incident disrupted operations across multiple sectors, affecting government institutions, financial organizations, transportation systems, media outlets, and critical infrastructure providers. Attackers utilized Bitcoin addresses for ransom demands, with forensic analysis suggesting financial motivation and possible involvement of non-native Ukrainian speakers posing as locals. The supply-chain attack method exploited trusted software updates, leading to widespread encryption of systems and data destruction, while subsequent investigations identified similarities to earlier malware campaigns like Chthonic, indicating potential links to broader nation-state affiliated activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyber attack, occurring on or around June 27, 2017, targeted numerous Ukrainian organizations through a supply-chain compromise of the M.E.Doc accounting software. Attackers distributed malicious updates to M.E.Doc users, which executed ransomware-like payloads including PsCrypt, XData, and the primary NotPetya wiper. The malware propagated rapidly across networks using stolen credentials and the EternalBlue exploit, affecting critical infrastructure sectors nationwide. Among financial institutions, KredoBank was confirmed as an impacted entity alongside Oschadbank, Sberbank, Ukrgasbank, and others. The attack encrypted systems while masquerading as ransomware, though forensic analysis revealed NotPetya's true purpose was irreversible data destruction through master boot record overwriting. Three distinct Bitcoin wallets were associated with the attack, receiving payments totaling approximately 0.61136765 BTC (PsCrypt), 0.5105 BTC (WannaCry variant), and 4.13528947 BTC (NotPetya). M.E.Doc's developer initially denied responsibility, asserting their update process included antivirus vendor validation prior to release.
The incident caused widespread operational disruption across Ukraine's public and private sectors. Beyond KredoBank, affected entities included government ministries, energy providers (Naftogaz, DTEK), transportation hubs (Boryspil Airport, Ukrainian Railways), media outlets, and healthcare facilities. Forensic evidence linked the attack to earlier malware campaigns, including the May 2017 XData ransomware and Chthonic backdoor infections that similarly exploited compromised software updates. Attackers demonstrated familiarity with Ukrainian accounting practices but exhibited technical inconsistencies in ransom implementation, such as using single Bitcoin addresses per variant and flawed decryption mechanisms. The campaign displayed characteristics of financially motivated actors collaborating with nation-state interests, evidenced by the precision of sector targeting and the weaponization of legitimate software updates. Recovery efforts were complicated by NotPetya's wiper functionality, which rendered data unrecoverable regardless of ransom payment. Subsequent analysis identified infrastructure overlaps with prior attacks against Ukrainian targets, though attribution remained inconclusive within the available evidence.