Cyber Incident Victim: West Oil Group
Date:
Jun 2017
Location:
Ukraine
Summary
The NotPetya cyber attack targeted Ukrainian entities through a compromised update of the M.E.Doc accounting software, impacting critical infrastructure sectors including government agencies, financial institutions, media outlets, energy providers, and gas stations such as WOG. The attack deployed ransomware variants like XData and PsCrypt, encrypting systems and demanding Bitcoin payments, while forensic analysis suggested the perpetrators were a financially motivated group with limited technical sophistication in ransomware development, masquerading as Ukrainian speakers despite linguistic inconsistencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyberattack, first observed in Ukraine around June 27, 2017, began with the compromise of updates for M.E.Doc, a widely used Ukrainian accounting software. Attackers distributed malicious code disguised as legitimate software updates, enabling initial access to victim networks. This supply-chain attack led to the deployment of multiple malicious payloads, including ransomware variants such as PsCrypt, XData, and the NotPetya wiper. The attack rapidly spread across Ukrainian critical infrastructure and commercial sectors, encrypting systems and demanding Bitcoin ransoms. Specific Bitcoin addresses linked to PsCrypt (0.61136765 BTC), XData (0.5105 BTC), and NotPetya (4.13528947 BTC) were publicly identified, indicating financial motivations. Among the affected entities was WOG, a major Ukrainian gas station chain, alongside other fuel providers like Shell, Klo, and TNK. The malware’s propagation leveraged compromised M.E.Doc updates and a separate breach of the cfm.com.ua website, which hosted malicious scripts targeting visitors. Forensic analysis revealed similarities to earlier attacks, including the reuse of the Chthonic backdoor observed in May 2017, suggesting possible links to prior campaigns.
The incident caused widespread operational disruptions across Ukraine, impacting government agencies, financial institutions, transportation systems, media outlets, and energy companies. Organizations like the National Bank, Ukrainian Railways, Kyiv Metro, and multiple ministries experienced system encryption and data destruction. M.E.Doc’s developer publicly denied responsibility, asserting their software underwent pre-release antivirus validation, though multiple victims reported infections immediately following M.E.Doc updates. The attackers displayed familiarity with Ukrainian software ecosystems but exhibited technical inconsistencies, including rudimentary ransomware code and non-native language patterns in communications. Recovery efforts were complicated by the NotPetya wiper’s data destruction capabilities, which rendered system restoration impossible even after ransom payments. The incident highlighted vulnerabilities in software supply chains and the convergence of financially motivated actors with nation-state attack methodologies, though definitive attribution remained unconfirmed in available reporting.