Cyber Incident Victim: Klo
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the modified NotPetya malware targeted Ukrainian organizations through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to critical infrastructure, financial institutions, and government systems. The malware, designed to inflict permanent data destruction rather than facilitate ransom payments, exploited known Windows vulnerabilities to propagate globally, impacting multinational corporations across sectors including shipping, healthcare, and manufacturing. Attribution investigations by cybersecurity firms and governments identified Russian military-linked groups as responsible, citing prior patterns of disruptive cyber operations against the country. The incident resulted in billions of dollars in global damages due to operational paralysis and data loss, with Ukraine sustaining the majority of infections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks, commonly referred to as NotPetya, began on 27 June 2017 with the distribution of malicious code through a compromised update mechanism of the M.E.Doc tax accounting software, widely used by Ukrainian businesses. The malware, a modified variant of the Petya ransomware, exploited the EternalBlue vulnerability in unpatched Windows systems and leveraged Mimikatz-derived techniques to harvest credentials and propagate across networks. Initial infections primarily targeted Ukrainian entities, including banks, government ministries, energy firms, media outlets, and critical infrastructure operators such as the Chernobyl Nuclear Power Plant, which lost radiation monitoring capabilities. The attack rapidly spread internationally, affecting organizations in over 60 countries, though 80% of infections occurred in Ukraine according to ESET's analysis. Unlike typical ransomware, NotPetya irreversibly corrupted files by overwriting master boot records and file tables while displaying fake ransom demands, indicating its primary purpose was data destruction rather than financial gain.
Ukrainian authorities halted the attack's propagation by 28 June through coordinated efforts with cybersecurity experts. Subsequent forensic investigations revealed the M.E.Doc update server had been compromised since at least mid-May 2017, with attackers implanting backdoors for sustained access. On 4 July, Ukrainian police raided M.E.Doc's offices and seized servers to prevent further attacks. Attribution investigations by Ukraine's Security Service (SBU) linked the attack to Russian military intelligence (GRU), citing similarities with prior operations by the TeleBots and BlackEnergy groups targeting Ukrainian infrastructure. The incident caused extensive operational disruptions, including temporary shutdowns at major companies like Maersk, Merck, and Reckitt Benckiser, with total global damages exceeding $10 billion. While Russia denied involvement, multiple Western governments including the United States and United Kingdom formally attributed the attack to Russian state actors in 2018, characterizing it as part of ongoing hybrid warfare against Ukraine.