Cyber Incident Victim: Dniproenergo
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the NotPetya malware targeted Ukrainian critical infrastructure, including an electricity provider, through a compromised update mechanism in widely used tax accounting software. The malware caused widespread data destruction across government, financial, and energy sectors, with collateral global impacts affecting multinational corporations. Security assessments concluded the attack was state-sponsored sabotage primarily aimed at Ukraine, attributed to Russian military hackers, resulting in billions in damages through irreversible system disruptions and supply chain failures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The June 27, 2017, cyberattack targeting Ukrainian infrastructure began with the compromise of the M.E.Doc tax accounting software's update mechanism. Attackers distributed a malicious update to M.E.Doc's approximately 400,000 customers, representing 90% of Ukrainian domestic firms. The payload contained NotPetya, a modified version of Petya ransomware that exploited the EternalBlue vulnerability in unpatched Windows systems and used Mimikatz-derived credential harvesting to propagate across networks. Unlike typical ransomware, NotPetya permanently destroyed data by overwriting files and master boot records while displaying fake ransom demands. Ukraine's critical infrastructure was disproportionately affected, with 80% of infections occurring there. The radiation monitoring system at Chernobyl Nuclear Power Plant was forced offline, while multiple state enterprises including Ukrainian Railways, Boryspil International Airport, and electricity providers experienced system disruptions. Dniproenergo, among other energy sector entities, had computer systems disabled but maintained manual operations to continue electricity distribution.
The Security Service of Ukraine (SBU) declared the attack contained by June 28 through coordinated cybersecurity efforts. Forensic analysis revealed the M.E.Doc compromise dated back to at least May 15, with attackers establishing persistent backdoor access. On July 4, Ukrainian police raided M.E.Doc's offices and seized servers to prevent further attacks. The SBU attributed the operation to Russian military intelligence (GRU), linking it to prior attacks by the TeleBots group that had targeted Ukraine's energy grid in December 2016. International security agencies including the US CIA and UK Ministry of Defence later confirmed Russian state sponsorship. Global collateral damage occurred through multinational corporations with Ukrainian operations, including Merck, Maersk, and Reckitt Benckiser, incurring collective losses exceeding $10 billion. Ukrainian authorities initiated criminal proceedings against M.E.Doc's developers for negligence after repeated warnings about security vulnerabilities. By July 3, critical services like Oshchadbank resumed operations, though data recovery proved impossible for permanently encrypted systems.