Cyber Incident Victim: WPP plc
Date:
Jun 2017
Location:
Ukraine
Summary
A sophisticated ransomware attack, leveraging NSA-developed tools including Eternal Blue, originated in Ukraine and spread globally, impacting organizations such as WPP Plc., Maersk, Merck, and DLA Piper. The malware, identified as an enhanced variant of Petya, encrypted entire hard drives and demanded Bitcoin ransoms, lacking the kill switch present in prior WannaCry attacks. Critical disruptions occurred across sectors: Ukrainian ATMs and radiation monitoring systems at Chernobyl failed, hospitals canceled surgeries, and factories halted operations. While Ukrainian officials implicated Russia, Russian entities like Home Credit bank were also compromised. The attack exploited unpatched systems and credential theft, underscoring vulnerabilities despite available security updates.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The global cyberattack began on June 27, 2017, initially targeting Ukrainian infrastructure before rapidly spreading internationally. Systems at Ukraine's Chernobyl nuclear plant lost computer monitoring capabilities, forcing workers to manually track radiation levels. The attack simultaneously disrupted operations across multiple sectors: ATMs and postal services ceased functioning in Kiev, Russian lender Home Credit suspended operations at all branches, and Evraz steel company faced disruptions affecting 80,000 employees. The ransomware leveraged multiple propagation methods including EternalBlue—an NSA-developed exploit leaked by Shadow Brokers—alongside credential theft techniques, enabling it to bypass Microsoft patches deployed after the earlier WannaCry incident. Security researchers identified the malware as an enhanced variant of Petya ransomware, lacking WannaCry's kill switch and employing more destructive encryption that locked entire hard drives rather than individual files.
Impacted organizations spanned 24 countries with severe operational consequences. Heritage Valley Health Systems in Pennsylvania canceled medical procedures and closed satellite locations, while Cadbury's Hobart factory in Australia displayed ransom demands on production systems. Multinational corporations including Maersk, Merck, and DLA Piper experienced global network outages, with the law firm proactively disabling email systems to contain spread. Attackers demanded $300 Bitcoin payments per infected device, though only 30 transactions were recorded by afternoon. Ukrainian officials attributed the attack to Russia despite Russian entities being affected. Government responses included Australia's cybersecurity minister urging businesses to implement patches and backups, while Symantec researchers confirmed the malware's NSA exploit usage. The incident highlighted systemic vulnerabilities in large organizations' patch deployment processes, with critical infrastructure and multinational corporations suffering prolonged downtime from the irreversible encryption.