Cyber Incident Victim: Lviv City Council
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the NotPetya malware targeted Ukrainian infrastructure through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to government systems, financial institutions, energy providers, and critical services. The malware exploited EternalBlue and Mimikatz vulnerabilities to propagate across networks, encrypting and irreversibly damaging files while masquerading as ransomware for financial gain. Primary impact centered on Ukrainian entities, but global subsidiaries with Ukrainian connections also suffered operational paralysis and data destruction. Security assessments indicated the attack's primary intent was disruption rather than profit, with evidence suggesting state-sponsored coordination. Ukrainian authorities attributed the incident to Russian-linked threat actors, citing similarities to prior cyber campaigns targeting national infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The NotPetya cyberattack began on 27 June 2017, initially targeting Ukrainian entities through a compromised update mechanism of the M.E.Doc tax accounting software. This software, used by approximately 90% of Ukrainian businesses, distributed the malware via its automatic update server, enabling rapid propagation across domestic networks. The malware—a modified variant of Petya ransomware dubbed "NotPetya"—leveraged the EternalBlue exploit to infiltrate Windows systems, encrypting Master File Tables and overwriting critical files. Concurrently, it employed Mimikatz-derived techniques to harvest credentials from memory, facilitating lateral movement within networks. Primary Ukrainian victims included government ministries, banks (Oshchadbank, Ukrsotsbank), critical infrastructure operators (Ukrainian Railways, Ukrtelecom), and the Chernobyl Nuclear Power Plant, whose radiation monitoring systems went offline. The attack coincided with Ukraine’s Constitution Day holiday, exploiting reduced staffing to maximize disruption. Despite ransom demands of $300 in Bitcoin per device, forensic analysis revealed the malware’s primary function was irreversible data destruction rather than financially motivated encryption.
The incident rapidly escalated into a global event due to multinational corporations with Ukrainian operations, affecting entities like Maersk, Merck, FedEx, and Reckitt Benckiser across 64 countries. Ukrainian authorities declared the attack contained by 28 June, though data recovery efforts persisted for weeks. Subsequent investigations uncovered a backdoor in M.E.Doc’s update infrastructure dating to April-May 2017, indicating prolonged attacker access. On 4 July, Ukrainian police seized Intellect Service’s servers to prevent further compromises. Attribution efforts by Ukraine’s Security Service (SBU) and cybersecurity firms linked the attack to Russian military intelligence (GRU), citing similarities to prior operations by TeleBots and BlackEnergy groups. Financial losses exceeded $10 billion globally, with Merck reporting $870 million in damages and Maersk $300 million. The U.S. and UK governments formally accused Russia of orchestrating the attack in 2018, emphasizing its disruptive intent against Ukrainian infrastructure. By July 2017, only $10,000 in Bitcoin had been paid to ransom addresses, underscoring the attack’s sabotage-oriented design.