Cyber Incident Victim: Farmak
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the NotPetya malware targeted Ukrainian organizations through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to financial institutions, government ministries, critical infrastructure, and private enterprises. The malware propagated globally via EternalBlue and Mimikatz exploits, encrypting and irreversibly damaging systems while masquerading as ransomware despite its destructive payload. Primary impacts included radiation monitoring failures at Chernobyl, halted operations at major transportation hubs, and significant financial losses exceeding $10 billion across multinational corporations. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military hackers, citing prior compromises of the software update infrastructure and similarities to previous cyber operations against Ukrainian infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On June 27, 2017, a destructive cyberattack leveraging modified Petya ransomware (dubbed NotPetya) disrupted Ukrainian critical infrastructure and global organizations. The attack originated through a compromised software update mechanism of M.E.Doc, a Ukrainian tax accounting package used by approximately 90% of domestic firms. Intellect Service, M.E.Doc’s developer, distributed the malicious update via its automatic update server, which delivered NotPetya instead of legitimate patches. The malware exploited the EternalBlue vulnerability in unpatched Windows systems and used Mimikatz-derived techniques to harvest credentials from memory, enabling lateral movement across networks. NotPetya encrypted master file tables and overwrote files irreversibly, masquerading as ransomware while causing permanent data destruction. Initial infections concentrated in Ukraine, affecting government ministries, banks (including Oshchadbank and Ukrsotsbank), utilities (Ukrtelecom), transportation systems (Kyiv Metro, Boryspil Airport), and critical facilities like the Chernobyl Nuclear Power Plant’s radiation monitoring system. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption during reduced staffing.
By June 28, Ukrainian cyber authorities contained the attack, though global spread impacted multinational corporations through interconnected networks. Non-Ukrainian victims included Merck & Co., Maersk, FedEx’s TNT Express, Reckitt Benckiser, and Saint-Gobain, causing operational shutdowns and supply chain disruptions. Forensic investigations revealed the M.E.Doc compromise began as early as April 2017, with attackers embedding backdoors for sustained access. Ukrainian police raided Intellect Service’s offices on July 4, seizing servers to prevent further attacks. The SBU attributed the operation to Russian military intelligence (GRU), linking it to prior cyber campaigns (BlackEnergy, TeleBots) against Ukrainian infrastructure. U.S. and UK governments later formally accused Russia of orchestrating the attack, estimating global damages exceeding $10 billion. Reckitt Benckiser reported $130 million in lost sales, while Merck incurred $870 million in costs. Despite ransom demands, decryption proved impossible due to NotPetya’s destructive design, confirming its primary intent as disruption rather than financial gain.