Cyber Incident Victim: Zhuliany International Airport
Date:
Jun 2017
Location:
Ukraine
Summary
A cyber attack employing ransomware similar to WannaCry disrupted operations at Ukraine's largest airport, along with the national bank, state power distributor, and government systems. The malware, identified as Petrwrap or Petya, encrypted files and demanded Bitcoin payments, causing widespread system failures including disabled ATMs, airport departure boards, and government computer access. Multiple state-owned enterprises and international companies experienced IT outages, though critical infrastructure like power supplies remained operational. The incident occurred amid heightened geopolitical tensions, with Ukrainian authorities historically attributing such attacks to Russian actors, though direct attribution was not confirmed in this event.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a large-scale cyber attack disrupted Ukrainian government infrastructure and private companies, including Boryspil International Airport in Kiev, Ukraine's largest airport. The attack began with government systems, as Deputy Prime Minister Rozenko Pavlo reported an inability to access computers across the Cabinet of Ministers, accompanied by a network outage. Affected devices displayed an error message claiming disks "contain errors and need to be prepared," instructing users not to turn them off. Simultaneously, ransomware messages appeared on compromised systems across multiple organizations, demanding $300 in Bitcoin payments to restore access to encrypted files. The National Bank of Ukraine attributed the disruptions to an "unknown virus" affecting several unnamed banks and financial institutions, while state-owned Oschadbank confirmed service interruptions but assured customer data remained secure. At Boryspil International Airport, computer systems and departure boards became inoperable, disrupting operations. The attack also disabled ATMs and supermarket payment terminals nationwide, displaying the same ransom demand.
Analysts identified the malware as Petrwrap or Petya, noting similarities to the WannaCry ransomware that caused global disruptions the previous month. Ukrainian state enterprises were heavily impacted, including aircraft manufacturer Antonov and power distributor Ukrenergo, though the latter confirmed power supplies remained unaffected. The incident occurred one day before Ukraine's Constitution Day and hours after Colonel Maksim Shapoval, a defense intelligence officer, was killed in a Kiev car bombing labeled a "terrorist act." International companies including shipping firm Maersk, Russian oil company Rosneft, and steelmaker Evraz also reported system outages from cyber attacks, though direct connections to the Ukrainian incident remained unconfirmed. Ukrainian authorities had previously accused Russia of conducting cyber attacks against critical infrastructure since 2014, including a December 2015 power grid attack that caused temporary blackouts. The incident occurred amid ongoing tensions following Russia's annexation of Crimea and support for separatists in eastern Ukraine, though Russia consistently denied involvement in cyber operations. No Ukrainian entity confirmed paying ransoms, and restoration efforts proceeded without detailed public documentation of technical containment measures.