Cyber Incident Victim: Radio Era-FM
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack using the NotPetya malware targeted Ukrainian infrastructure through a compromised update of widely used tax accounting software, causing widespread disruption to banks, government ministries, energy firms, and critical services including radiation monitoring at Chernobyl. The malware propagated via EternalBlue and credential theft, irreversibly encrypting systems while masquerading as financially motivated ransomware. Global spillover affected multinational corporations, resulting in billions in damages. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military hackers (Sandworm/TeleBots), citing prior compromises of the software supply chain and patterns aligning with hybrid warfare tactics against Ukraine.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27 with the distribution of a modified Petya variant (dubbed NotPetya) through compromised updates for M.E.Doc, a widely used Ukrainian tax accounting software. Intellect Service’s M.E.Doc update server was hijacked to deliver the malware, affecting approximately 90% of Ukrainian businesses that relied on the software. NotPetya employed multiple propagation methods, including the EternalBlue exploit targeting unpatched Windows systems and a Mimikatz-derived tool to harvest credentials from memory, enabling lateral movement across networks. Upon execution, it encrypted Master File Tables and overwrote files irreversibly, rendering data recovery impossible despite ransom demands of $300 in Bitcoin. The attack crippled critical Ukrainian infrastructure, including the radiation monitoring system at Chernobyl Nuclear Power Plant, ministries, banks (Oshchadbank, State Savings Bank), transportation networks (Kyiv Metro, Ukrainian Railways), and telecommunications providers (Ukrtelecom). Over 1,500 Ukrainian entities reported infections, with ESET estimating 80% of global infections occurred in Ukraine.
The malware spread globally through multinational corporations with Ukrainian operations, impacting companies like Maersk, Merck, FedEx, Reckitt Benckiser, and Saint-Gobain. Ukrainian authorities halted the attack’s spread by June 28 through coordinated efforts with cybersecurity specialists. Forensic analysis revealed the M.E.Doc compromise dated back to at least May 15, with a backdoor enabling potential follow-up attacks. On July 4, Ukrainian police seized Intellect Service’s servers to prevent further exploitation. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing similarities to prior cyber operations like the 2016 Kyiv power grid hack and TeleBots/BlackEnergy campaigns. The U.S. CIA and UK government later confirmed Russian state involvement, noting the attack’s primary aim was disrupting Ukrainian infrastructure rather than financial gain. Total damages exceeded $10 billion, with Merck reporting $870 million in losses, FedEx $400 million, and Maersk $300 million. Ukrainian officials initiated criminal proceedings against Intellect Service for negligence in securing its update systems despite prior warnings from antivirus firms.