Cyber Incident Victim: UkrGasVydobuvannya
Date:
Jun 2017
Location:
Ukraine
Summary
A widespread cyberattack involving the Petya.A ransomware severely disrupted operations across Ukrainian critical infrastructure and commercial entities, including financial institutions, media outlets, energy providers, postal services, telecommunications firms, and transportation systems. The attack forced multiple banks to limit customer services, halted operations at postal branches, disabled payment systems in metro services, and caused website outages for news agencies and airports. While some telecommunications providers maintained normal operations, the ransomware encrypted systems at several state and private organizations, leading to temporary shutdowns of customer-facing services and internal networks. The incident impacted numerous sectors simultaneously, with financial and logistical services experiencing significant operational paralysis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, multiple Ukrainian organizations experienced widespread disruptions from a cyberattack initially reported against financial institutions and media companies. Oschadbank restricted client services as a security precaution, advising pensioners to use other banks' ATMs without fees. The National Police of Ukraine confirmed several state financial institutions were compromised, with cyber police units investigating the incidents. Media holding TRK Lux—encompassing 24 Channel, Radio Lux, Radio Maximum, and affiliated websites—suffered operational failures, while news outlet Korrespondent's website became inaccessible around 15:00 local time. Energy distributors Kyivenergo and Ukrenergo reported technical malfunctions, followed by disruptions at Ukrposhta, Nova Poshta, and Ukrtelekom. Nova Poshta suspended all branch operations and contact center services due to a "massive attack" by the Petya.A ransomware, explicitly identified as an encrypting virus. Ukrtelekom acknowledged the ransomware incident but maintained telephone and internet services despite the compromise.
The attack expanded to critical infrastructure, with Boryspil Airport's flight schedule system becoming temporarily unavailable; its CEO described the incident as a "spam attack." Television channel ATR experienced operational failures, while Kyiv Metro disabled bank card payments due to the attack. Ukrposhta's official website remained non-functional during the incident. Mobile operators Kyivstar and Vodafone operated normally without reported impact. No entity disclosed data theft or permanent system damage, focusing instead on containment through service restrictions and public notifications. Response actions were limited to reactive measures: financial institutions implemented predefined security protocols restricting transactions, logistics firms suspended customer operations, and law enforcement initiated investigations without releasing attribution details or recovery timelines.