Cyber Incident Victim: China National Petroleum Corp
Date:
May 2017
Location:
China
Summary
A ransomware attack compromised systems at China National Petroleum Corp, disrupting petrol stations in Chongqing by preventing card payment processing. The incident occurred amid a global cyberattack affecting numerous institutions, with the company's infrastructure among those infected by malware that encrypted files and demanded ransom payments. Operational disruptions were reported across multiple sectors in China, including government agencies and hospitals, though specific impacts on the petroleum corporation centered on payment system failures. The attack highlighted vulnerabilities in critical infrastructure networks, with widespread consequences stemming from the malware's rapid propagation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware cyberattack emerged globally on May 12, 2017, affecting over 200,000 computers across 150 countries within days. The malware encrypted files on infected systems, demanding ransoms typically set at $300 in Bitcoin to restore access. Russia experienced the highest volume of attack attempts, impacting the interior ministry, railways, banks, and telecom provider Megafon. Approximately 1,000 computers within Russia’s interior ministry were compromised, though critical servers remained operational due to their reliance on domestically developed Elbrus operating systems rather than vulnerable Microsoft Windows platforms. Germany’s Deutsche Bahn railway operator reported disruptions to electronic station display boards, though train services continued uninterrupted. China faced widespread institutional damage, with internet security firm 360 Security confirming infections at nearly 30,000 organizations, including government agencies and hospitals.
In China, the ransomware severely disrupted academic networks, locking students’ laptops and jeopardizing end-of-year projects as underfunded universities relied on outdated or pirated software. China National Petroleum Corp (CNPC) systems were infected, forcing petrol stations in Chongqing to suspend card payment processing. South Korea’s CJ CGV cinema chain reported compromised advertisement servers across 50 locations, though screenings proceeded normally. Japan documented 2,000 infected computers at 600 companies, with Hitachi experiencing email and file delivery issues. Indonesia’s Dharmais Cancer Hospital resorted to manual record-keeping after patient files were encrypted, causing significant treatment delays. India’s Andhra Pradesh police systems were hijacked, though national infrastructure avoided major damage due to preemptive security patches. The UK’s National Health Service suffered among the most visible disruptions, with 48 English trusts and 13 Scottish organizations turning away patients after ransomware messages appeared on clinical systems. Industrial operations like Nissan’s Sunderland plant and Renault factories halted production temporarily, while Spanish utilities Telefonica, Iberdrola, and Gas Natural implemented workstation shutdowns to contain infections. By May 14, Europol confirmed the attack’s unprecedented scale, though containment efforts—including network isolation of compromised devices and restoration of paper-based processes—had begun mitigating further spread.