Cyber Incident Victim: TASKomertsbank
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack utilizing the NotPetya malware, masquerading as ransomware but designed to cause irreversible system damage, targeted Ukrainian infrastructure through a compromised update mechanism of widely used tax accounting software. The incident disrupted critical services including banking operations, radiation monitoring at Chernobyl, transportation, and government functions, while also spreading globally to multinational corporations, resulting in billions in damages. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military-linked actors, citing prior patterns of cyber aggression, though Russia denied involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 cyberattack involving TASKomertsbank, part of the broader NotPetya ransomware campaign, began on June 27, 2017, with initial infections traced to a compromised update mechanism of the Ukrainian tax accounting software MeDoc (M.E.Doc). Developed by Intellect Service and used by approximately 90% of Ukrainian businesses, MeDoc’s update server delivered malicious payloads disguised as legitimate software updates, enabling rapid propagation across domestic networks. The malware, a modified variant of Petya dubbed NotPetya, exploited the EternalBlue vulnerability in unpatched Windows systems—a flaw previously leveraged in the WannaCry attack—and utilized Mimikatz-derived techniques to harvest credentials from memory, facilitating lateral movement within networks. Upon execution, NotPetya encrypted Master File Tables and overwrote files irreversibly, rendering decryption impossible despite ransom demands of $300 in Bitcoin. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption as government offices were minimally staffed.
The incident severely impacted Ukrainian critical infrastructure, including banks like Oshchadbank and State Savings Bank of Ukraine, government ministries, energy firms, and transportation systems such as Kyiv Metro and Boryspil International Airport. Chernobyl’s radiation monitoring system was forced offline, though manual operations prevented safety breaches. Globally, multinational corporations with Ukrainian ties—including Merck, Maersk, FedEx’s TNT Express, and Reckitt Benckiser—suffered operational paralysis, with total damages exceeding $10 billion. Ukraine’s National Police registered over 1,500 victim reports, while international entities faced prolonged recovery; TNT Express’s delivery disruptions persisted for weeks. Ukrainian authorities halted the attack’s spread by June 28 through coordinated cybersecurity efforts, and on July 4, police raided Intellect Service’s offices, seizing servers to eliminate backdoors planted as early as April 2017. Attribution investigations by Ukraine’s Security Service (SBU) and firms like ESET linked the attack to Russian military groups (TeleBots/Sandworm), citing similarities to prior BlackEnergy incidents targeting Ukrainian infrastructure. The U.S. and UK governments later formally accused Russia’s GRU of orchestrating the attack, which Moscow denied.