Cyber Incident Victim: Zaporizhzhiaenergo
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack targeting a Ukrainian electricity company and other critical infrastructure entities deployed the NotPetya malware, initially disguised as ransomware but designed to cause irreversible system damage. The malware propagated through a compromised update mechanism of widely used Ukrainian accounting software, leading to widespread encryption and data destruction across government, financial, and energy sectors. While primarily affecting Ukrainian organizations, the attack caused global collateral damage to multinational corporations through interconnected networks, disrupting operations and incurring billions in recovery costs. Ukrainian authorities and international cybersecurity firms attributed the attack to Russian military-linked actors, citing prior patterns of disruptive cyber operations against Ukrainian infrastructure. The incident highlighted systemic vulnerabilities in software supply chains and legacy systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks, initiated on June 27, began with the compromise of the MeDoc tax accounting software’s update mechanism. MeDoc, used by approximately 90% of Ukrainian businesses and installed on an estimated 1 million computers, distributed a malicious update containing the NotPetya malware. This modified version of Petya ransomware exploited the EternalBlue vulnerability in unpatched Windows systems, leveraging the Server Message Block protocol and Mimikatz-derived password extraction techniques to propagate rapidly across networks. Upon execution, NotPetya encrypted Master File Tables and overwrote files, rendering systems irrecoverable despite ransom demands of $300 in Bitcoin. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption as government offices were minimally staffed. Primary Ukrainian targets included ministries, banks, media outlets, transportation systems, and critical infrastructure operators. Ukraine’s radiation monitoring system at Chernobyl Nuclear Power Plant was forced offline, while state electricity companies experienced computer outages but maintained manual operations. Over 80% of infections occurred in Ukraine, with secondary impacts in Germany, France, Russia, and other nations due to global corporate networks.
Ukrainian authorities declared the attack contained by June 28 through cybersecurity interventions, though forensic analysis revealed the MeDoc update server had been compromised since at least May 15, indicating advanced planning. On July 4, Ukrainian police raided MeDoc’s offices and seized servers after discovering persistent backdoors. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), linking it to prior operations like the 2016 Kyiv power grid outage through shared Tactics, Techniques, and Procedures (TTPs) involving TeleBots and BlackEnergy malware. International cybersecurity firms corroborated this assessment, noting the malware’s surgical avoidance of Russian systems and destructive data-wiping behavior inconsistent with financial motives. Global corporations with Ukrainian operations—including Maersk, Merck, FedEx, and Reckitt Benckiser—reported severe supply chain disruptions, with cumulative damages exceeding $10 billion. The U.S. and UK governments formally attributed the attack to Russia in 2018, characterizing it as a state-sponsored cyber sabotage campaign against Ukrainian infrastructure. Ukrainian energy sector entities restored operations through manual processes while undertaking system rebuilds, with no evidence of successful file decryption despite ransom payments.