Cyber Incident Victim: Kyiv Metro
Date:
Jun 2017
Location:
Ukraine
Summary
A major cyber attack disrupted critical Ukrainian infrastructure, including government systems, the national bank, a state power provider, and the country's largest airport, displaying ransomware messages demanding Bitcoin payments. The incident, attributed to malware resembling Petya or Petrwrap, also affected financial institutions, disabled ATMs and airport operations, and spread internationally impacting companies like Maersk and Rosneft. While Ukrainian officials historically accused Russia of similar infrastructure attacks, the disruption occurred amidst heightened tensions following an intelligence officer's assassination. The attack caused widespread operational paralysis across multiple sectors but did not compromise power supplies or customer data in some affected entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a widespread cyber attack disrupted critical infrastructure across Ukraine, affecting government systems, financial institutions, energy providers, and transportation hubs. The incident began with Ukrainian Deputy Prime Minister Pavlo Rozenko reporting an inability to access government computers, accompanied by a system error message instructing users not to power down devices. Multiple organizations simultaneously experienced system failures, including the National Bank of Ukraine, state-owned Oschadbank, power distributor Ukrenergo, Boryspil International Airport, and state-run aircraft manufacturer Antonov. ATMs, supermarket payment systems, and airport departure displays became inoperable, displaying ransomware messages demanding $300 in Bitcoin payments to restore access to encrypted files. Security analysts identified the malware as Petrwrap (also called Petya), noting similarities to the WannaCry ransomware that caused global disruptions the previous month.
The attack occurred one day before Ukraine's Constitution Day and hours after Colonel Maksim Shapoval, a Ukrainian defense intelligence officer, was killed in a Kyiv car bombing labeled a terrorist act. While Ukrenergo confirmed power supplies remained unaffected, the National Bank described the incident as an "unknown virus" impacting several financial institutions. International companies including shipping conglomerate Maersk, Russian oil firm Rosneft, and steel producer Evraz also reported system disruptions from related cyber attacks. Ukrainian officials historically attributed similar infrastructure attacks to Russian actors, citing the 2015 power grid hack and ongoing tensions following Russia's 2014 annexation of Crimea. Russian authorities denied involvement in both the cyber attacks and support for eastern Ukrainian separatists. The incident highlighted broader cybersecurity concerns, with France's National Cybersecurity Agency director warning of escalating global cyber threats ranging from espionage to sabotage.