Cyber Incident Victim: Compagnie de Saint-Gobain
Date:
Jun 2017
Location:
Ukraine
Summary
A global cyberattack originating in Ukraine via compromised tax software and a news website disrupted operations at numerous multinational corporations, including Compagnie de Saint-Gobain. The ransomware, leveraging Eternal Blue exploits, encrypted systems and demanded Bitcoin payments, though its primary motive appeared disruptive rather than financial. The incident caused widespread operational paralysis, halting production facilities and logistics networks. Saint-Gobain experienced significant disruptions to its systems alongside other major firms like Maersk and Rosneft, with infections spreading through corporate networks from Ukrainian subsidiaries. While some entities mitigated impacts through security patches and backups, the attack underscored vulnerabilities in interconnected supply chains and shared software dependencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The incident began on June 27, 2017, when a ransomware virus originating in Ukraine spread globally, disrupting operations across multiple industries. Initial infections occurred through compromised software updates for MEDoc, a Ukrainian tax accounting program, and a hacked local news website in Bakhmut, Ukraine. The malware, a variant of the Eternal Blue exploit believed to be developed by the U.S. National Security Agency, propagated within corporate networks after initial infiltration but lacked the capability to randomly scan the internet for new victims. Upon infection, the ransomware encrypted files and demanded $300 in Bitcoin for decryption, though only over 30 payments were made. Ukrainian organizations bore the brunt of attacks, comprising 80% of detected infections, followed by Italy at 10%. The virus rapidly impacted international corporations with Ukrainian operations, including Compagnie de Saint-Gobain, Mondelez International, A.P. Moller-Maersk, and Rosneft. Maersk experienced severe port congestion at 76 global terminals, including Mumbai, Rotterdam, and Los Angeles, while Rosneft activated backup systems to maintain oil production after suffering serious system consequences.
Response actions included immediate containment measures by affected organizations and coordinated cybersecurity efforts. German email provider Posteo disabled the ransom payment notification address cited in the malware, disrupting attackers' communication. Microsoft confirmed the MEDoc updater process as an initial infection vector and reiterated guidance for businesses to install recent security patches and disable Windows file-sharing features, which prevented infections in updated systems. Security firms Cisco Talos, Symantec, and Kaspersky analyzed the malware's propagation methods and attack origins. BNP Paribas Real Estate isolated its affected subsidiary, while Cadbury's Australian factory halted production until systems could be restored. The Kremlin denied involvement despite Ukraine's historical accusations of Russian cyber aggression, emphasizing the need for international cooperation. Forensic evidence suggested the attack prioritized disruption over financial gain, with security experts speculating about potential state-sponsored experimentation due to the limited ransom demands and precision of targeting critical infrastructure nodes.