Cyber Incident Victim: Pershyi Natsionalnyi
Date:
Jun 2017
Location:
Ukraine
Summary
A destructive cyberattack primarily targeting Ukrainian organizations, including banks, government ministries, and critical infrastructure operators, was deployed through compromised updates of widely used tax accounting software. The malware, initially disguised as ransomware but designed to cause irreversible system damage, spread globally, disrupting multinational corporations and infrastructure beyond Ukraine. Security assessments attributed the attack to Russian military actors, citing prior infiltration of the software supply chain and parallels to previous operations against Ukrainian systems. The incident caused billions in damages worldwide, permanently destroying data and crippling networks despite ransom demands. Ukrainian authorities and international allies characterized the event as part of ongoing hybrid warfare efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27 with the initial compromise of M.E.Doc (MeDoc), a widely used Ukrainian tax accounting software developed by Intellect Service. Attackers infiltrated MeDoc's automatic update server—which served approximately 400,000 Ukrainian businesses—and distributed malware masquerading as a legitimate software update. This malicious update delivered a modified variant of the Petya ransomware, later termed NotPetya or Nyetna due to significant code alterations. The malware exploited the EternalBlue vulnerability in unpatched Windows systems—previously leveraged in the WannaCry attack—and used Mimikatz-derived tools to harvest credentials from memory, enabling lateral movement across networks. NotPetya encrypted Master File Tables and overwrote files irreversibly, rendering data recovery impossible despite ransom demands of $300 in Bitcoin. While the attack initially targeted Ukrainian entities including banks (Oschadbank, Ukrsotsbank), government ministries, utilities (Ukrtelecom), critical infrastructure (Chernobyl radiation monitoring systems, Ukrainian Railways), and media outlets, it rapidly spread globally via multinational corporate networks.
Security analysts determined the attack was designed for destruction rather than financial gain, as evidenced by its untargeted propagation mechanisms and non-functional payment system. Ukraine's Security Service (SBU) attributed the attack to Russian military intelligence (GRU) on July 1, citing similarities to prior BlackEnergy and TeleBots campaigns against Ukrainian infrastructure. The incident caused operational disruptions at major international corporations including Maersk, Merck, FedEx subsidiary TNT Express, Reckitt Benckiser, and Saint-Gobain, with total damages exceeding $10 billion according to U.S. officials. Ukrainian police raided Intellect Service's offices on July 4 after discovering backdoors in MeDoc's systems dating to April 2017, though the company denied complicity. By February 2018, U.S. and UK governments formally attributed NotPetya to Russia's GRU, noting its alignment with geopolitical tensions following Russia's 2014 annexation of Crimea. Recovery efforts spanned months for severely affected organizations like Merck, which reported $870 million in losses, while Ukrainian critical services restored manual operations within days despite widespread system damage.