Cyber Incident Victim: PetroChina
Date:
May 2017
Location:
Cocos (Keeling) Islands
Summary
The WannaCry ransomware attack infected over 200,000 computers across 150 countries, disrupting governments, hospitals, and businesses. Russia's interior ministry and firms like Megafon were attacked, but critical servers remained secure due to domestic software. Germany's Deutsche Bahn experienced electronic board failures at stations without service interruptions. China's universities and petrol stations linked to China National Petroleum Corp suffered outages, forcing students to pay ransoms and leaving motorists unable to use cards. Other impacted regions included South Korea, where a cinema chain was affected; Japan, with corporate email delays; Indonesia, where hospital patient files were locked; India, with police system compromises but vital systems spared due to patches; the UK, where the NHS turned away patients and a Nissan factory was hit; and Spain, where companies like Telefonica and Renault managed infections with temporary production halts but quick recoveries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The WannaCry ransomware cyber-attack, which began propagating globally on Friday, May 12, 2017, infected more than 200,000 computers across 150 countries by the following Sunday, according to Europol. The malware encrypted files on vulnerable Windows systems, displaying ransom demands in exchange for decryption keys. In China, the attack caused severe disruption, with networks at numerous universities reporting widespread infection. Students at these underfunded institutions, often using outdated or pirated software, found their laptops locked and were compelled to pay approximately $300 to regain access to end-of-year project work. Beyond academia, the malware impacted commercial and industrial sectors; for instance, the country's largest cinema chain, CJ CGV, experienced infection on advertisement servers linked to fifty cinemas, though film screenings continued as scheduled. A broader assessment by the Chinese internet security firm 360 Security indicated that hundreds of thousands of computers at nearly 30,000 institutions and organizations, including government agencies and hospitals, were affected nationwide. Within this landscape of systemic compromise, specific operational failures were reported at retail fuel outlets.
In the western Chinese city of Chongqing, petrol stations operated by China National Petroleum Corp, the parent entity of PetroChina, were directly incapacitated by the ransomware. The infection of the corporation's systems rendered these stations unable to process electronic card payments, a critical function for modern fuel retail. This localized failure exemplified the attack's capacity to disrupt essential consumer services through the compromise of corporate IT infrastructure. While the article does not detail PetroChina's specific internal detection or containment procedures, the public consequence was a tangible interruption in payment processing at these service points. The incident at CNPC's Chongqing stations was part of the larger pattern where the WannaCry worm exploited unpatched Windows vulnerabilities to spread rapidly across networked systems, causing operational paralysis wherever it successfully executed. The effect on fuel payment systems highlighted the vulnerability of even large, state-owned industrial enterprises to a globally propagating cyber weapon. This specific impact on PetroChina's downstream retail operations demonstrated how ransomware could move beyond traditional information technology environments to affect real-world economic activity and consumer convenience. The inability to accept card payments persisted as a direct result of the encrypted systems until remediation efforts, not described in the source, could restore functionality.