Cyber Incident Victim: Sberbank
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the modified NotPetya malware targeted Ukrainian organizations through a compromised update mechanism in widely used tax accounting software, causing widespread disruption to critical infrastructure, financial institutions, and government systems. The attack rapidly spread globally via EternalBlue and Mimikatz exploits, affecting multinational corporations and resulting in permanent data destruction despite ransom demands. Security assessments concluded the malware was designed for destructive purposes rather than financial gain, with Ukrainian authorities and Western intelligence agencies attributing the operation to Russian military cyber units. The incident caused billions in damages across affected entities, including major disruptions to supply chains and essential services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 cyberattack targeting Ukrainian organizations, including Sberbank, began on June 27 with the deployment of a modified ransomware variant known as NotPetya (or Nyetna). The attack originated from a compromised software update mechanism of M.E.Doc, a widely used Ukrainian tax accounting program developed by Intellect Service. This updater, installed on approximately 1 million computers across Ukraine, distributed the malware to 90% of the country's domestic firms. NotPetya exploited the EternalBlue vulnerability in unpatched Windows systems—previously identified in the WannaCry attack—and leveraged Mimikatz-derived techniques to harvest credentials from memory, enabling lateral movement across networks. The malware encrypted Master File Tables and overwrote files irreversibly, despite displaying ransom demands for $300 in Bitcoin. Primary impact occurred in Ukraine (80% of infections), with secondary spread to multinational corporations through Ukrainian subsidiaries. Critical infrastructure disruptions included Chernobyl Nuclear Power Plant's radiation monitoring systems, Ukrainian Railways, Boryspil International Airport, and multiple banks. The attack coincided with Ukraine's Constitution Day holiday, maximizing disruption during reduced staffing.
Ukrainian authorities halted the malware's propagation by June 28 through coordinated efforts with cybersecurity specialists. Forensic analysis revealed the M.E.Doc compromise dated back to at least May 15, with backdoors enabling persistent access. On July 4, Ukrainian police raided Intellect Service’s offices, seizing servers to prevent further attacks. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), linking it to prior operations by TeleBots and BlackEnergy groups targeting Ukrainian energy and financial sectors since 2014. Global entities including Maersk, Merck, FedEx, and Reckitt Benckiser reported operational paralysis, with cumulative damages exceeding $10 billion. The U.S. and UK governments formally attributed the attack to Russia in 2018, emphasizing its destructive intent masked as ransomware. Ukrainian financial institutions like Oshchadbank resumed operations by July 3, while international firms required weeks for system restoration. The incident exposed systemic vulnerabilities in software supply chains and patch management, though no functional ransomware decryption mechanism was ever identified.