Cyber Incident Victim: Reckitt Benckiser
Date:
Jun 2017
Location:
Ukraine
Summary
A widespread cyberattack leveraging NSA-derived exploits initially targeted Ukrainian entities but caused global collateral damage, disrupting multinational corporations including Reckitt Benckiser. The consumer goods manufacturer experienced severe supply chain interruptions, forcing reduced sales forecasts equivalent to approximately $130 million due to impaired manufacturing and distribution capabilities. Similar impacts crippled other organizations worldwide, with data destruction and operational halts affecting tens of thousands of systems. Forensic analysis indicated the attack exploited vulnerabilities in Microsoft software through tools leaked by the Shadow Brokers group, mirroring techniques used in prior global ransomware incidents. While initial evidence suggested Russian involvement, attribution remained unconfirmed as the attack also impacted Russian entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyberattack emerged on or around June 27, 2017, initially targeting Ukrainian government agencies, banks, and businesses through compromised accounting software widely used in the country. The malware rapidly propagated globally via vulnerabilities in Microsoft Windows systems, leveraging exploits originally developed by the U.S. National Security Agency that had been leaked by the Shadow Brokers hacker group in April 2017. Within minutes of infection, the wiper malware encrypted or destroyed data on infected systems, causing catastrophic operational disruptions. Multinational corporations with Ukrainian business connections suffered extensive collateral damage, including Reckitt Benckiser, Mondelez International, Nuance Communications, and DLA Piper law firm. At Mondelez, approximately 30,000 employee devices and thousands of servers were rendered inoperable within 20 minutes, forcing production shutdowns at facilities worldwide including a Cadbury chocolate factory in Tasmania. Nuance Communications' system failures prevented U.S. hospitals from creating electronic medical records for over a week. The attack coincided with Ukraine's Constitution Day celebrations, affecting nearly 2,000 Ukrainian organizations during a national holiday period.
Reckitt Benckiser reported significant supply chain disruptions from NotPetya, particularly impacting manufacturing and distribution systems for products like Lysol disinfectants. On July 6, 2017, the company revised its annual sales growth forecast downward from 3% to 2%, representing an estimated $130 million revenue loss based on prior-year figures. While Mondelez managed to restore a "critical majority" of systems within days, Reckitt's financial guidance adjustment indicated longer-term operational consequences. DLA Piper implemented graduated system restoration with enhanced security safeguards, while Nuance Communications remained unable to provide full recovery timelines. NATO officials debated whether the attack warranted invoking Article 5 mutual defense provisions, subsequently pledging cybersecurity assistance to Ukraine. U.S. Homeland Security Advisor Thomas Bossert noted the attack's apparent lack of discrimination, as Russian state-owned oil company Rosneft also suffered impacts. Microsoft President Brad Smith publicly criticized the NSA for failing to secure its stolen cyber weapons, which enabled both NotPetya and the earlier WannaCry ransomware attacks. Forensic investigations by firms like AlienVault confirmed the attack's destructive capabilities particularly affected organizations without robust security practices.