Cyber Incident Victim: Kyiv State City Administration
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack using the NotPetya malware targeted Ukrainian organizations through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to government operations, banks, critical infrastructure, and media outlets. The malware, masquerading as ransomware but designed for destruction, permanently damaged systems by overwriting files and spread internationally via networked global businesses. Ukrainian authorities attributed the attack to Russian military hackers, citing similarities to prior cyber operations by groups linked to critical infrastructure disruptions. The incident resulted in significant financial losses across affected international corporations and permanently crippled numerous Ukrainian systems despite ransom demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 cyberattack targeting Ukrainian organizations began on June 27 through compromised updates of the M.E.Doc tax accounting software developed by Intellect Service. Attackers infiltrated the software's automatic update mechanism, distributing malware to approximately 400,000 Ukrainian businesses that relied on this government-mandated accounting platform. The malicious payload utilized modified Petya ransomware components (dubbed NotPetya or Nyetna) combined with EternalBlue and EternalRomance exploits targeting unpatched Windows systems. Unlike typical ransomware, NotPetya permanently destroyed data by overwriting files and master boot records while displaying fake ransom demands. The malware employed multiple propagation methods including credential theft via Mimikatz, lateral movement through Windows Management Instrumentation, and SMBv1 exploitation.
Initial infections crippled critical Ukrainian infrastructure including the radiation monitoring system at Chernobyl Nuclear Power Plant, banking institutions (Oschadbank, Ukrsotsbank), transportation networks (Ukrainian Railways, Kyiv Metro), and government entities like the Kyiv State City Administration. The attack coincided with Ukraine's Constitution Day holiday, maximizing disruption during reduced staffing. By June 28, Ukrainian cyber authorities contained the outbreak through coordinated network segmentation and system isolation. Subsequent forensic analysis revealed the attackers had compromised M.E.Doc's update servers as early as April 2017, embedding backdoors for sustained access. Ukrainian law enforcement seized Intellect Service's servers on July 4 after discovering persistent compromise vectors. The malware's uncontrolled spread affected global organizations with Ukrainian connections, including Maersk, Merck, and Reckitt Benckiser, causing estimated damages exceeding $10 billion.
The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing infrastructure links to prior TeleBots and BlackEnergy operations against Ukrainian energy grids in 2015-2016. Technical evidence showed deliberate targeting of Ukrainian entities through hardcoded system bypasses and kill lists. While Russian officials denied involvement, multiple Western governments including the United States and United Kingdom formally attributed the attack to Russian state actors in 2018, describing it as the most destructive cyberattack in history. Ukrainian authorities initiated criminal proceedings against Intellect Service for security negligence after repeated warnings about vulnerable systems. Recovery efforts required complete hardware replacement in critical infrastructure due to irreversible file system damage.