Cyber Incident Victim: DTEK
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the Petya.A cryptoworm targeted Ukrainian infrastructure, including energy company DTEK, disrupting critical services across financial, energy, transport, and government sectors. The malware encrypted hard drives and demanded Bitcoin payments, spreading through phishing emails and exploiting vulnerabilities in Windows systems and compromised accounting software. Impacts included widespread ATM failures, halted banking operations, manual check-ins at airports, disabled radiation monitoring at Chornobyl, and paralyzed corporate IT systems. The attack also affected international entities, leveraging exploits previously linked to the Shadow Brokers group, with Ukraine identified as the primary target through infection patterns. Service disruptions persisted as organizations implemented manual processes while cybersecurity teams worked to contain the outbreak.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a widespread cyberattack utilizing Petya.A ransomware targeted Ukrainian critical infrastructure and commercial entities, rapidly escalating into an international incident. The attack commenced around 15:00 Kyiv time with a mass email campaign distributing malicious attachments. Upon execution, the ransomware encrypted entire hard drive partitions on Microsoft Windows systems, displaying a ransom note demanding $300 in Bitcoin for decryption. Early victims included Oshchadbank state bank, where ATMs and card services failed, and energy companies Dniproenergo, Zaporizhzhiaenergo, and Kyivenergo, where reports indicated 99% of computers were encrypted. By 16:40, Ukrainian government systems were compromised, including the Cabinet of Ministers (where Deputy PM Pavlo Rozenko confirmed network failure), the National Police, and Cyber Police websites. Transport infrastructure suffered disruptions, with Boryspil International Airport implementing manual operations after a "spam attack," while Kyiv Metro suspended electronic payments. Media outlets like TRK Luks (operator of 24 Kanal TV and Radio Luks) experienced complete broadcast blackouts, and news site Korrespondent.net went offline. The malware spread laterally through multiple vectors, including the EternalBlue exploit (previously used by WannaCry), Windows administrative tools like psexec.exe, and WMIC commands, enabling rapid network propagation.
By evening, the attack expanded beyond Ukraine, affecting multinational corporations including Danish shipping firm Maersk, British advertising conglomerate WPP, Russian oil giant Rosneft, and an Australian Cadbury factory. Ukraine’s State Service of Special Communication confirmed that state e-resources protected under its national cyberdefense system remained unaffected, though unsecured systems at ministries, banks, and utilities faced severe operational paralysis. The National Bank of Ukraine issued warnings about the "external cyber attack," while the Cyberpolice identified vulnerabilities in M.E.Doc accounting software as the initial infection vector. Critical infrastructure impacts included manual radiation monitoring at Chornobyl Nuclear Power Plant and disruptions at pharmaceutical firms like Farmak. Security researchers from TrendMicro and Symantec analyzed Petya’s master boot record encryption, noting its 2016 origins and warning victims that ransom payments (totaling ~$7,500) were futile due to disabled decryption channels. Mitigation efforts included a workaround by researcher Amit Serper to block malware execution and partial service restoration at Ukraine’s Government Portal by 18:44. The incident caused estimated losses of hundreds of millions of dollars globally, with Europol coordinating international response efforts amid accusations of Russian state involvement based on ESET’s infection-tracking data showing Ukraine as the primary target.