Cyber Incident Victim: TNK
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack primarily targeting Ukrainian entities spread globally through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to critical infrastructure, financial institutions, and government systems. The malware, a modified variant of Petya dubbed NotPetya, employed exploits like EternalBlue and credential theft tools to propagate across networks, irreversibly destroying data rather than providing recoverable encryption. While masquerading as ransomware for financial gain, evidence indicated the attack aimed to cripple the country's infrastructure, with subsequent attributions by multiple governments pointing to state-sponsored Russian military involvement. Global corporations with Ukrainian operations suffered collateral damage, incurring billions in losses due to system outages and data destruction.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27 with the distribution of NotPetya malware through a compromised update mechanism of the M.E.Doc tax accounting software, widely used by approximately 90% of Ukrainian businesses. This supply-chain attack leveraged the software's automatic update system to deliver malicious payloads instead of legitimate updates, rapidly infecting an estimated 1 million computers in Ukraine. The malware exploited the EternalBlue vulnerability in unpatched Windows systems and utilized Mimikatz credential theft techniques to propagate laterally across networks. Primary impact occurred within Ukraine's critical infrastructure, disrupting operations at the Chernobyl Nuclear Power Plant's radiation monitoring system, multiple government ministries (including finance and infrastructure), state-owned banks like Oshchadbank, transportation networks including Kyiv Metro and Boryspil International Airport, and energy provider Ukrenergo. The attack coincided with Ukraine's Constitution Day holiday, maximizing disruption during reduced staffing.
Ukrainian authorities declared the attack contained by June 28 through coordinated cybersecurity efforts, though forensic investigations revealed the M.E.Doc compromise dated back to at least May 15, with evidence of backdoors enabling persistent access. On July 4, Ukrainian police raided M.E.Doc developer Intellect Service, seizing servers to prevent further attacks. The malware's design permanently destroyed data through irreversible encryption and disk wiping, despite ransom demands of $300 in Bitcoin per device. Attribution investigations by Ukraine's Security Service (SBU) identified Russian military intelligence (GRU) links through similarities to prior TeleBots and BlackEnergy attacks against Ukrainian infrastructure. International security firms and governments including the U.S. and UK later confirmed state-sponsored Russian involvement. Global collateral damage affected multinational corporations with Ukrainian operations, including Merck ($870 million losses), Maersk ($300 million), FedEx ($400 million), and Reckitt Benckiser ($130 million), with total damages exceeding $10 billion. Ukrainian critical infrastructure operators restored manual operations within days, while international corporations required weeks to months for full system recovery.