Cyber Incident Victim: Inter
Date:
Jun 2017
Location:
Ukraine
Summary
A destructive cyberattack utilizing modified ransomware called NotPetya targeted critical infrastructure through a compromised software update mechanism in a Ukrainian tax accounting application. The malware, designed to inflict maximum damage rather than generate ransom payments, irreversibly encrypted files and spread globally via network vulnerabilities, affecting government systems, financial institutions, energy providers, and multinational corporations. Primary impact occurred within the country's public and private sectors, disrupting operations at airports, banks, and radiation monitoring systems, while secondary infections caused significant financial losses to international firms through supply chain disruptions. The incident was attributed to Russian military hackers by multiple governments and cybersecurity experts, with estimated global damages exceeding $10 billion due to its widespread destructive effects.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks, commonly referred to as NotPetya, began on 27 June 2017 with the distribution of malware through a compromised update mechanism of the Ukrainian tax accounting software M.E.Doc, developed by Intellect Service. M.E.Doc’s update server pushed malicious code to approximately 400,000 Ukrainian businesses that relied on the software, representing 90% of domestic firms. The malware, a modified variant of the Petya ransomware, exploited the EternalBlue vulnerability in unpatched Windows systems and used Mimikatz-derived techniques to harvest credentials from memory, enabling lateral movement across networks. Unlike typical ransomware, NotPetya irreversibly encrypted master file tables and overwrote files, rendering recovery impossible even after payment. Security researchers confirmed the attack’s primary distribution vector was M.E.Doc’s update infrastructure, which attackers had compromised as early as April 2017, embedding backdoors for persistent access. The timing coincided with Ukraine’s Constitution Day holiday, maximizing disruption during reduced staffing. Initial infections crippled Ukrainian ministries, banks, metro systems, utilities like Ukrtelecom, and critical infrastructure including Chernobyl’s radiation monitoring systems. Within hours, the malware spread internationally via multinational corporate networks with Ukrainian operations.
The attack impacted over 1,500 Ukrainian legal entities and disrupted global companies including Merck & Co., Maersk, FedEx’s TNT Express, Reckitt Benckiser, and Saint-Gobain, causing cascading supply chain failures. Ukrainian authorities halted the malware’s spread by 28 June through coordinated cybersecurity interventions but faced persistent risks from undetected backdoors in M.E.Doc’s systems, leading to a 4 July police raid on Intellect Service’s offices to seize servers. Forensic analysis revealed the attackers had surgical avoidance mechanisms for certain system profiles, indicating targeted disruption rather than financial motives. Total damages exceeded $10 billion, with Merck reporting $870 million in losses and Maersk $300 million. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), linking it to prior operations by the TeleBots group, which had targeted Ukrainian energy and financial sectors since 2014. The U.S. and UK governments formally accused Russia in 2018, citing the GRU’s use of NotPetya as part of hybrid warfare against Ukraine. Intellect Service faced criminal liability for negligence after ignoring prior security warnings about its update infrastructure. By August 2017, companies like Oshchadbank restored operations, though entities like TNT Express reported ongoing delivery disruptions for months due to irreversible system damage.