Cyber Incident Victim: Merck & Co., Inc.
Date:
Jun 2017
Location:
Ukraine
Summary
A major cyberattack compromised the computer network of pharmaceutical company Merck, part of a broader global incident initially centered in Ukraine that disrupted the state power grid, banks, and government offices. The ransomware-based malware, leveraging vulnerabilities in Microsoft Windows systems, spread internationally, affecting multiple organizations including shipping giant Maersk and Russia's Rosneft oil company. While Merck struggled to contain the intrusion, Ukrainian authorities noted vital systems remained operational. The attack resembled the earlier WannaCry outbreak, utilizing leaked digital exploitation tools to propagate rapidly across networks, causing widespread operational disruptions in critical infrastructure and corporate sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, pharmaceutical company Merck confirmed its computer network was compromised during a global cyberattack initially detected in Europe. The company acknowledged the breach via a Twitter statement shortly before noon Eastern Time, noting it could not initially contain the malicious data-scrambling software affecting its systems. Merck’s US headquarters in Kenilworth, New Jersey, was impacted alongside its offices in Kiev, Ukraine—the apparent epicenter of the attack. The malware, believed to be ransomware deployed by financially motivated hackers, exploited vulnerabilities in Microsoft Windows XP and Windows 10 operating systems through a time-activated virus. Ukraine reported widespread disruptions to its state power grid, banking institutions, airport operations, and government offices at the start of business hours, though Prime Minister Volodymyr Groysman stated critical infrastructure systems remained functional. Merck was the first US-based entity to publicly confirm involvement in the incident, which unfolded concurrently across multiple countries and industries.
The attack rapidly expanded beyond Ukraine, with Russian cybersecurity firm Kaspersky Lab documenting approximately 2,000 incidents—primarily concentrated in Ukraine, Russia, and Poland. Major corporations including Russian oil producer Rosneft and Danish shipping conglomerate A.P. Moller-Maersk reported network compromises, with Maersk confirming operational disruptions across all domestic and international business divisions. Container terminals in Rotterdam operated by Maersk subsidiaries experienced system failures, while Rosneft claimed to have narrowly prevented catastrophic damage. Security analysts identified the malware as ransomware designed to encrypt data and extort payment for decryption, drawing parallels to the WannaCry outbreak that had spread globally weeks earlier using exploit tools originally developed by the US National Security Agency. The incident highlighted the transnational nature of cyber threats, with multinational corporations sustaining collateral damage from an attack initially targeting Ukrainian infrastructure.