Cyber Incident Victim: Chernobyl Nuclear Power Plant
Date:
Jun 2017
Location:
Ukraine
Summary
A cyber attack employing ransomware similar to WannaCry targeted Ukrainian government and critical infrastructure entities, disrupting operations at the national bank, state power provider, largest airport, and state-owned financial institutions. Systems displayed ransom demands for Bitcoin payments, while ATMs, government computers, and corporate networks including an aircraft manufacturer and power distributor experienced outages. The incident coincided with heightened tensions following an intelligence officer's assassination and prior accusations against Russia for infrastructure-focused cyber attacks. International companies like Maersk and Rosneft also reported disruptions, though direct links to the Ukrainian incident were unconfirmed. The attack highlighted broader concerns over escalating state-sponsored and criminal cyber threats targeting essential services globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a widespread cyber attack disrupted critical Ukrainian infrastructure and international entities. The incident began with ransomware infections affecting government systems, including computers used by Deputy Prime Minister Rozenko Pavlo and other cabinet members, rendering them inaccessible. A message displayed on compromised devices claimed disk errors and instructed users not to power down systems while demanding a $300 Bitcoin payment to restore access. The malware, identified as Petrwrap or Petya, shared functional similarities with the WannaCry ransomware that caused global disruptions the previous month. Ukraine's National Bank reported an "unknown virus" impacted multiple financial institutions, including state-owned Oschadbank, though customer data reportedly remained secure. Critical infrastructure operators were affected, with power distributor Ukrenergo confirming IT system compromises that did not interrupt electricity supplies. Boryspil International Airport experienced operational disruptions as departure boards and computer systems failed, while ATMs and retail payment terminals across the country displayed ransom messages.
The attack extended beyond Ukraine's borders, affecting multinational corporations including shipping conglomerate Maersk, which reported IT outages across multiple sites, and Russian firms Rosneft and Evraz. This occurred amid heightened tensions in Ukraine, coming one day before Constitution Day and hours after the assassination of Colonel Maksim Shapoval, a Ukrainian intelligence officer. Ukrainian authorities historically attributed similar cyber attacks on infrastructure, including a 2015 power grid disruption, to Russian state actors—allegations consistently denied by Russia. Concurrently, the UK Parliament disclosed a separate cyber intrusion targeting parliamentary email accounts, though officials confirmed minimal direct impact. The incident highlighted broader concerns about escalating cyber threats, with France's National Cybersecurity Agency director warning of increasing attacks from state-sponsored groups, criminal networks, and extremists targeting espionage, sabotage, and financial gain. No coordinated international response was detailed in available reports, though Ukrainian entities implemented system isolation measures to contain the ransomware's spread.