Cyber Incident Victim: Pivdennyi Bank
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack primarily targeting Ukrainian entities, including a major bank, was propagated through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to financial institutions, government operations, and critical infrastructure such as radiation monitoring systems. The malware, a modified variant of Petya dubbed NotPetya, exploited known Windows vulnerabilities to irreversibly encrypt files and spread across networks, with forensic evidence indicating its primary purpose was data destruction rather than financial extortion. While affecting global systems through international corporate networks, over 80% of infections occurred in Ukraine, with security researchers and Western governments attributing the attack to Russian military cyber units as part of ongoing hybrid warfare against the country.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27, 2017, when a malicious update was distributed through the servers of M.E.Doc (MeDoc), a widely used Ukrainian tax accounting software. MeDoc's update mechanism had been compromised as early as April or May 2017, allowing attackers to push malware instead of legitimate updates. This software was installed on approximately 1 million computers across Ukraine, serving about 90% of domestic companies. The malware spread rapidly through automatic updates, initially targeting Ukrainian financial, governmental, and critical infrastructure organizations before spreading globally. The attack utilized a modified version of Petya ransomware dubbed "NotPetya," which employed EternalBlue and Mimikatz exploits to propagate across networks. NotPetya encrypted Master File Tables and overwrote files permanently while masquerading as ransomware with a $300 Bitcoin ransom demand. Security analysts observed that the malware contained wiping functionality designed to cause irreversible damage rather than generate profit.
Ukrainian entities suffered immediate disruptions, including radiation monitoring systems at Chernobyl Nuclear Power Plant, ministries, banks (Oschadbank, Prominvestbank, Ukrsotsbank), airports, metro systems, and energy companies. Over 1,500 Ukrainian organizations reported infections. Globally, multinational corporations with Ukrainian operations were impacted, including Maersk, Merck, FedEx, Saint-Gobain, and Reckitt Benckiser. The Ukrainian government halted the attack's spread by June 28 through coordinated cybersecurity efforts. Forensic investigations revealed the attackers had implanted backdoors in MeDoc's systems months prior, enabling the carefully timed attack before Ukraine's Constitution Day holiday when offices were vacant. On July 4, Ukrainian police raided MeDoc's offices and seized servers to prevent further attacks. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing similarities to prior cyber operations like the 2016 Kyiv power grid hack and TeleBots financial sector attacks. Total damages exceeded $10 billion, with Merck reporting $870 million in losses and Maersk $300 million. The White House formally attributed the attack to Russia in February 2018, calling it the most destructive cyberattack in history.