Cyber Incident Victim: Ukrainian National Police
Date:
Jun 2017
Location:
Ukraine
Summary
A major cyberattack targeted Ukrainian entities, including the National Police, through compromised updates of widely used tax software, deploying destructive malware disguised as ransomware. The attack disrupted critical infrastructure, financial systems, and government operations, while also causing collateral damage to multinational corporations globally. Ukrainian authorities and international cybersecurity firms attributed the incident to Russian military hackers, citing prior patterns of cyber aggression and forensic evidence linking the malware to known threat actors. The operation caused billions in damages, permanently destroying data rather than enabling decryption despite ransom demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27 with the distribution of NotPetya malware through a compromised update mechanism of M.E.Doc, a Ukrainian tax accounting software used by approximately 90% of domestic firms. The malicious update propagated rapidly across Ukrainian government ministries, banks, energy companies, transportation systems, and media outlets, while also affecting international organizations in over 64 countries. NotPetya employed EternalBlue and Mimikatz exploits to spread through networks, encrypting master file tables and overwriting files irreversibly despite displaying ransom demands for $300 in Bitcoin. Critical infrastructure impacts included the disabling of radiation monitoring at Chernobyl Nuclear Power Plant and disruptions at Boryspil International Airport, Ukrainian Railways, and State Savings Bank of Ukraine. By June 28, Ukrainian cyber security specialists contained the attack, though data recovery proved impossible for many victims due to the malware's destructive design.
Ukrainian authorities conducted a raid on M.E.Doc's offices on July 4, seizing servers after discovering backdoors installed as early as April 2017. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing similarities to previous cyber operations like the 2016 Kyiv power grid outage and TeleBots financial sector attacks. International assessments from the CIA and UK Ministry of Defence later corroborated Russian state involvement, with damages exceeding $10 billion globally. Notable corporate victims included Merck & Co., Maersk, FedEx, and Reckitt Benckiser, whose supply chain disruptions caused significant financial losses. Ukrainian National Police documented over 1,500 victim reports from domestic entities, while international firms faced prolonged operational outages despite most infections occurring within Ukraine. The incident represented one of the most costly cyberattacks in history, with permanent data destruction affecting multiple sectors.