Cyber Incident Victim: Beiersdorf
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the NotPetya malware targeted multinational corporations and critical infrastructure, including a German consumer goods manufacturer known for skincare products. The attack originated in Ukraine and Russia, disrupting operations at entities such as a major Russian oil company, a Danish shipping firm, pharmaceutical laboratories, French construction and retail businesses, and port logistics in India. Systems were encrypted with demands for $300 in cryptocurrency to restore access, though Ukrainian authorities claimed containment with cybersecurity teams working to recover data. Over 2,000 users were primarily affected across the initial regions, with security analysts identifying the malware as a distinct variant rather than an iteration of prior ransomware like Petya or WannaCry.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The NotPetya cyberattack emerged on June 27, 2017, initially targeting organizations in Ukraine and Russia before spreading internationally. This ransomware attack encrypted victims' systems, demanding a $300 Bitcoin ransom for decryption. The malware exploited vulnerabilities similar to those used in the WannaCry attack that had disrupted global systems in May 2017. Among the primary victims were critical infrastructure operators, including the Chernobyl nuclear site's radiation monitoring systems and Kiev's Boryspil International Airport. The attack rapidly expanded beyond Ukraine's borders, affecting multinational corporations across multiple sectors. German skincare company Beiersdorf, manufacturer of Nivea products, was confirmed among the affected organizations, though specific operational impacts weren't detailed in public reports. Other major corporate victims included Russian oil giant Rosneft, Danish shipping conglomerate Maersk, American pharmaceutical firm Merck, French construction materials leader Saint-Gobain, and British advertising group WPP. In France, additional affected entities included retail chain Auchan, national railway SNCF, and a real estate subsidiary of BNP Paribas. The attack's secondary effects created logistical disruptions, particularly at India's Port of Bombay where Maersk's systems failure threatened container backlog. Kaspersky Labs reported over 2,000 confirmed infections, with Ukraine and Russia bearing the heaviest concentration of victims.
Ukrainian authorities declared the attack "stopped" by June 28 through coordinated cybersecurity efforts, though recovery operations continued. The government's cybersecurity teams worked to restore lost data across affected systems while maintaining that the situation remained under control. International law enforcement responded with investigations, including the Paris prosecutor's office opening a formal inquiry into the incident. Forensic analysis by Kaspersky Labs determined NotPetya wasn't merely an updated version of the earlier Petya ransomware but represented a distinct malware variant with more destructive capabilities. Unlike typical ransomware, NotPetya's encryption mechanisms reportedly made complete data recovery impossible even after ransom payment, suggesting primarily disruptive rather than financial motives. The attack caused widespread operational paralysis at major corporations, though specific downtime durations and financial losses for individual companies like Beiersdorf weren't publicly quantified. Supply chain disruptions emerged as a significant secondary impact, particularly through Maersk's global shipping network complications. By late June, security researchers had confirmed the malware's propagation through compromised software updates in Ukraine, though attribution remained formally undetermined. The incident highlighted vulnerabilities in multinational corporations' digital infrastructure and their reliance on interconnected supply chain partners.