Cyber Incident Victim: State Savings Bank of Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
Oschadbank was disrupted by a destructive malware campaign initially as NotPetya, initially through a compromised update mechanism of Ukrainian tax software MeDoc. The attack encrypted systems across multiple Ukrainian critical infrastructure entities and spread globally, affecting international corporations. While presenting as ransomware, its primary function was data destruction, with recovery impossible in many cases. The institution restored operations within days. Security assessments attributed the attack to Russian military actors,targeting Ukrainian systems but causing collateral damage exceeding $10 billion worldwide. Ukrainian authorities linked the incident to ongoing cybertargeting state functions during a national holiday period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On June 27, 2017, a significant cyberattack utilizing ransomware began spreading across Ukraine, targeting a wide range of organizations, including government institutions, financial entities, transportation systems, and critical infrastructure. This attack, which leveraged a variant of the Petya ransomware, had a particularly damaging impact on Ukrainian systems and soon drew attention from security experts worldwide. The incident has been characterized as a sophisticated and coordinated campaign, exploiting multiple vulnerabilities and indicating a high level of technical proficiency by the perpetrators.
The ransomware, which became known as NotPetya, represented a significant departure from traditional ransomware behavior. Unlike typical ransomware, which primarily targets data encryption for monetary gain, NotPetya was designed to cause widespread disruption and data loss. It achieved this by not only encrypting critical files but also overwriting and corrupting data, making recovery extremely challenging. This distinctive behavior suggested that the attackers' primary objective may not have been financial gain, but rather, to inflict maximum damage on Ukrainian systems and disrupt critical functions.
The attack vector for the NotPetya ransomware was particularly insidious. Security investigations revealed that the infection initially spread through a compromised update of a widely used Ukrainian tax accounting software called MeDoc. MeDoc provided periodic updates to its users, and on the day of the attack, a malicious update was pushed out, unknowingly downloaded by MeDoc users, which initiated the ransomware infection. This tactic allowed the attackers to quickly compromise a large number of systems, as MeDoc was estimated to have around 400,000 customers in Ukraine, including approximately 90% of domestic firms.
The impact of the NotPetya cyberattack was extensive and far-reaching. Crucial computer files were overwritten, rendering them permanently damaged or inaccessible. This resulted in significant disruptions to various sectors in Ukraine. For example, the radiation monitoring system at the Chernobyl Nuclear Power Plant went offline during the attack. Additionally, banks, metro systems, airports, and state-owned enterprises were affected, hindering their ability to provide essential services and maintain operational continuity.
The financial toll of the attack was substantial. Many companies experienced losses due to disrupted operations and data recovery challenges. Notably, the cost of the attack extended beyond Ukraine, as the ransomware spread globally, impacting multinational companies with offices or operations in Ukraine. Some of the affected international businesses included Maersk, FedEx, Merck, and Reckitt Benckiser. The overall financial impact was estimated to be in the billions of dollars, underscoring the severe economic consequences of the attack.
Security experts and government officials attributed the NotPetya cyberattack to a Russian military hacker group known as "Sandworm." This group has been linked to previous cyberattacks targeting Ukrainian infrastructure, suggesting a pattern of hostile activity. The motivation behind the attack was believed to be multifaceted. While financial gain may have played a role, the timing of the attack—coinciding with a Ukrainian public holiday—and the targeted nature of the infections indicated a deliberate effort to disrupt Ukrainian state functions and critical infrastructure.
The NotPetya cyberattack highlighted the vulnerabilities inherent in interconnected digital systems and the potential for malicious actors to exploit these weaknesses to cause widespread disruption. It served as a stark reminder of the evolving nature of cyber threats and the increasing sophistication of malicious hacker groups. In the aftermath of the attack, organizations and governments alike reevaluated their cybersecurity measures, recognizing the urgent need for robust defenses and proactive strategies to safeguard against future incidents.
The response to the incident involved a collaborative effort between Ukrainian cybersecurity specialists, law enforcement, and international security experts. The Ukrainian government took proactive steps to halt the attack and restore affected systems, acknowledging the significance of maintaining robust cyber defense capabilities. The incident also drew attention to the broader geopolitical context, with some experts suggesting that the attack could be viewed as an extension of ongoing tensions between Russia and Ukraine.
Overall, the NotPetya cyberattack represented a critical incident in the realm of cybersecurity, underscoring the potential for malicious actors to exploit interconnected systems and widely used software to cause widespread disruption. The impact of the attack extended beyond Ukraine, affecting global businesses and underscoring the interconnected nature of modern digital infrastructure. The response to the incident highlighted the importance of international collaboration and proactive cybersecurity measures to mitigate future threats and safeguard critical systems and data.