Cyber Incident Victim: Inter Channel
Date:
Jun 2017
Location:
Ukraine
Summary
A destructive cyberattack originating in Ukraine rapidly spread globally, leveraging compromised tax software to deploy the NotPetya malware. The incident crippled critical infrastructure including banking systems, government networks, transportation services, and media outlets, affecting approximately 10% of the country's government and commercial computers while disrupting over 2,000 organizations internationally. The attack caused cascading operational failures—hospitals lost electronic records, supply chains were disrupted leading to financial losses, and multiple multinational corporations sustained significant damage. Forensic analysis indicated the malware served dual purposes of data theft targeting financial personnel and widespread system destruction, with Ukrainian authorities attributing the coordinated campaign to state-sponsored actors seeking to destabilize the nation during a symbolic holiday period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyberattack began on the morning of June 27, 2017, initially targeting Ukraine through compromised updates of M.E. Doc, a widely used tax accounting software. The malware rapidly infected government systems, critical infrastructure, and commercial entities during Ukraine’s Constitution Day holiday, exploiting reduced staffing to propagate unchecked. Within hours, the attack spread globally via email servers and network connections, affecting systems in France, Germany, Italy, Poland, the United Kingdom, Australia, and the United States. In Ukraine, the virus crippled approximately 2,000 organizations, including bank websites, postal services, Kyiv’s airport and subway system, telecommunications providers Kyivstar and Vodafone Ukraine, media outlets STB and ICTV, and industrial firm Antonov. Approximately 10% of government and commercial PCs were rendered inoperable. The attack disrupted operations at a U.S. healthcare network comprising two hospitals and 18 community facilities, forcing treatment delays due to a week-long electronic records system outage. UK-based Reckitt Benckiser suffered supply chain disruptions that reduced its annual sales growth forecast by one-third.
Forensic analysis revealed attackers had exploited M.E. Doc for three months prior to exfiltrate financial data from Ukrainian CFOs and accountants before deploying NotPetya to obscure these activities and maximize destruction. The Security Service of Ukraine concluded the malware served as cover for a coordinated assault on national infrastructure. This incident followed a pattern of Russian cyber aggression against Ukraine dating to 2014, including a 2015 grid attack affecting 230,000 customers and election infrastructure targeting. Ukrainian President Petro Poroshenko characterized NotPetya as part of an ongoing "cyber war" by Russia, a stance supported by Poland’s defense minister. Despite prior cybersecurity improvements that protected presidential systems during the attack, Ukraine sought international assistance. NATO Secretary General Jens Stoltenberg pledged continued cooperation, including proposals for a NATO-Ukraine Working Group to address defense gaps. The incident underscored vulnerabilities in interconnected global systems, with collateral damage extending far beyond Ukraine’s borders.