Cyber Incident Victim: SNCF
Date:
Jun 2017
Location:
France
Summary
A ransomware attack dubbed NotPetya, resembling the earlier WannaCry malware, disrupted multinational corporations and critical infrastructure across multiple countries. Originating primarily in Ukraine and Russia, the attack encrypted systems and demanded $300 in cryptocurrency for decryption, affecting entities including a nuclear facility, an airport, port operations, and companies such as Rosneft, Maersk, Saint-Gobain, and SNCF. Over 2,000 systems were compromised, causing operational disruptions like container logjams at India's Bombay port. Ukrainian authorities claimed the attack was contained, with cybersecurity experts working to restore data, while French prosecutors initiated an investigation into the incident. Security analysts identified NotPetya as a distinct malware variant rather than an iteration of prior Petya ransomware.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya ransomware attack emerged on or around June 27, 2017, initially targeting Ukraine and Russia before spreading internationally. The malware encrypted victims' systems and demanded a $300 ransom in cryptocurrency for decryption, employing techniques similar to the WannaCry attack that had globally disrupted systems in May 2017. Ukrainian authorities reported critical infrastructure impacts, including radiation monitoring systems at the Chernobyl nuclear site and operations at Kiev’s Boryspil International Airport. By June 28, the Ukrainian government claimed the attack had been "stopped" and was "under the complete control of cybersecurity specialists," who were working to restore lost data. Security firm Kaspersky Labs confirmed over 2,000 affected users during the outbreak, with primary concentrations in Ukraine and Russia.
The attack severely disrupted multinational corporations across multiple sectors. Confirmed victims included Russian oil firm Rosneft, Danish shipping giant Maersk (whose system failures risked container backlog at India’s Port of Bombay), pharmaceutical company Merck, French construction materials supplier Saint-Gobain, German consumer goods firm Beiersdorf (maker of Nivea), and British advertising group WPP. In France, retail chain Auchan, national railway operator SNCF, and BNP Paribas’ real estate subsidiary were compromised. The Paris prosecutor’s office opened an investigation into the incident. Kaspersky Labs analysts clarified that NotPetya was not a variant of the earlier Petya ransomware but a distinct malware strain, noting its rapid propagation and destructive encryption mechanism despite the relatively modest ransom demand.