Cyber Incident Victim: Arterium Corporation
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack primarily targeted Ukrainian organizations through a compromised update mechanism in widely-used tax accounting software, causing widespread disruption to critical infrastructure, financial institutions, and government systems. The malware, a modified variant of Petya dubbed NotPetya, propagated globally via EternalBlue exploits and credential theft tools, permanently damaging files while masquerading as recoverable ransomware. Security assessments concluded the operation aimed at destructive impact rather than financial gain, with attribution pointing to state-sponsored Russian actors exploiting the software's update infrastructure months prior. The incident inflicted billions in damages across multinational corporations with Ukrainian operations before containment efforts halted its spread.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 cyberattack targeting Arterium Corporation and other Ukrainian entities began on June 27 with the distribution of NotPetya malware through a compromised update mechanism of the M.E.Doc tax accounting software, widely used by Ukrainian businesses. Attackers infiltrated the update servers of M.E.Doc's developer, Intellect Service, pushing malicious code to approximately 1 million computers. The malware exploited the EternalBlue vulnerability in unpatched Windows systems and leveraged Mimikatz-derived techniques to harvest credentials, enabling lateral movement across networks. Upon execution, NotPetya encrypted Master File Tables and overwrote files, causing irreversible data loss despite ransom demands of $300 in Bitcoin. The attack coincided with Ukraine's Constitution Day holiday, maximizing disruption as government offices were minimally staffed. Critical infrastructure impacts included the Chernobyl Nuclear Power Plant's radiation monitoring systems going offline, while Ukrainian ministries, banks (including Oschadbank and Ukrsotsbank), airports, metro systems, and energy providers like Ukrtelecom experienced operational paralysis.
The incident's global spread affected multinational corporations with Ukrainian operations, including Merck & Co., Maersk, FedEx's TNT Express, and Reckitt Benckiser, causing estimated damages exceeding $10 billion. Ukrainian authorities halted the attack's propagation by June 28 through coordinated cybersecurity efforts. Forensic investigations revealed attackers had compromised M.E.Doc's update infrastructure as early as April 2017, installing backdoors for sustained access. On July 4, Ukrainian police raided Intellect Service's offices, seizing servers to prevent further attacks. The Security Service of Ukraine (SBU) attributed the operation to Russian military intelligence (GRU), linking it to prior attacks by TeleBots and Sandworm hacker groups. International responses included NATO's pledge to bolster Ukraine's cyber defenses and formal attribution by the US and UK governments in 2018. Financial repercussions included Reckitt Benckiser reporting $130 million in lost sales, while Merck incurred $870 million in costs. The attack permanently destroyed data across affected systems, with decryption proving impossible despite ransom payments.