Cyber Incident Victim: Football Federation of Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
A ransomware attack utilizing the NotPetya malware targeted Ukrainian infrastructure through a compromised update mechanism of widely used tax accounting software, causing widespread disruption across financial, governmental, energy, and transportation sectors. The malware, masquerading as ransomware but designed for permanent data destruction, exploited vulnerabilities in Windows systems to propagate globally, affecting multinational companies while Ukraine remained the primary focus. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military-linked actors, citing prior patterns of cyber aggression and forensic evidence of deliberate infrastructure targeting. The incident resulted in billions of dollars in damages globally, with critical systems like radiation monitoring at Chernobyl temporarily disabled and corporate operations severely disrupted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The cyberattack began on June 27, 2017, when compromised updates for Ukraine's widely used M.E.Doc tax accounting software distributed the NotPetya malware. This modified ransomware exploited the EternalBlue vulnerability in unpatched Windows systems and used Mimikatz-derived techniques to harvest credentials, enabling lateral movement across networks. The malware encrypted master file tables and overwrote files, rendering systems irrecoverable despite ransom demands of $300 in Bitcoin. Initial infections spread rapidly through Ukrainian entities, with ESET estimating 80% of global infections occurred in Ukraine. Critical infrastructure impacts included Chernobyl's radiation monitoring system going offline, disruptions at Boryspil International Airport, Ukrainian Railways, State Savings Bank, and multiple ministries. The attack coincided with Ukraine's Constitution Day holiday, maximizing disruption during reduced staffing.
Ukrainian authorities halted the attack's spread by June 28 through coordinated response efforts. Forensic investigations revealed the M.E.Doc update server had been compromised since at least May 2017, with a 1.5GB malicious update containing hidden backdoors. On July 4, Ukrainian police raided M.E.Doc developer Intellect Service, seizing servers to prevent further attacks. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), citing similarities to previous TeleBots and BlackEnergy campaigns targeting Ukrainian infrastructure. International collateral damage affected multinational corporations including Maersk, Merck, and Reckitt Benckiser, with total damages exceeding $10 billion. By February 2018, U.S. and UK governments formally attributed the attack to Russia, noting its disguised ransomware mechanics primarily aimed to disrupt Ukrainian institutions rather than generate revenue.