Cyber Incident Victim: Ukrainian Organizations
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack utilizing modified Petya malware (NotPetya) targeted Ukrainian entities through a compromised software update for a widely used tax accounting program, causing widespread disruption to banks, government ministries, critical infrastructure, and media outlets. The malware, designed to inflict permanent data destruction rather than facilitate ransom payments, exploited Windows vulnerabilities to propagate across networks, affecting global organizations with Ukrainian operations including logistics, pharmaceutical, and consumer goods firms. Attribution by multiple governments and security firms identified Russian military involvement, though Russia denied responsibility. The incident resulted in billions in global financial damages due to operational paralysis and data loss across affected systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on 27 June with a cyber intrusion targeting Ukrainian organizations through compromised software updates. Attackers infiltrated the update servers of M.E.Doc, a tax accounting package used by approximately 90% of Ukrainian businesses, pushing malicious code to an estimated 1 million computers. The malware—a modified variant of Petya ransomware dubbed NotPetya—exploited the EternalBlue vulnerability in unpatched Windows systems and used Mimikatz-derived techniques to harvest credentials from memory. Unlike typical ransomware, NotPetya irreversibly encrypted files and overwrote hard drives while masquerading as decryptable ransomware demanding $300 Bitcoin payments. Initial infections concentrated in Ukraine (80% of cases), crippling critical infrastructure including the Chernobyl Nuclear Power Plant's radiation monitoring system, ministries, banks (Oshchadbank, State Savings Bank), utilities (Ukrtelecom), transportation networks (Ukrainian Railways, Boryspil Airport), and media outlets. The attack coincided with Ukraine's Constitution Day holiday, exploiting reduced staffing to maximize spread.
Ukrainian authorities declared the attack contained by 28 June through cybersecurity interventions, though global repercussions emerged as multinational corporations with Ukrainian operations—including Merck, Maersk, Reckitt Benckiser, and Saint-Gobain—suffered cascading disruptions. Forensic investigations revealed the M.E.Doc compromise dated to at least April 2017, with backdoors enabling sustained access. On 4 July, Ukrainian police seized M.E.Doc's servers after discovering dormant attack capabilities. Security firms ESET and Cisco Talos confirmed Russian-linked threat actors (TeleBots/Sandworm), previously associated with Ukraine's 2016 power grid attacks, orchestrated the campaign. The U.S. CIA and UK government later attributed NotPetya to Russia's GRU military intelligence, noting its $10+ billion total damages across 1,500+ Ukrainian entities and global victims. Financial impacts included Merck's $870 million losses, Maersk's $300 million costs, and Reckitt Benckiser's 2% quarterly revenue decline. Despite ransom demands, payment mechanisms proved nonfunctional, confirming the attack's primary objective as disruption rather than financial gain.