Cyber Incident Victim: Ukrposhta
Date:
Jun 2017
Location:
Ukraine
Summary
A widespread cyber attack employing ransomware similar to WannaCry disrupted critical Ukrainian infrastructure, including government systems, financial institutions, a major airport, and energy providers. The malware, identified as Petrwrap or Petya, encrypted files and demanded Bitcoin payments for restoration, causing operational outages such as disabled ATMs, halted government computers, and disrupted airport services. While power supplies remained unaffected, banking operations and corporate IT systems—including international entities like Maersk and Rosneft—experienced significant interruptions. The incident occurred amid heightened tensions following an intelligence officer's assassination and historical accusations of state-sponsored cyber aggression against Ukraine, though attribution remained unconfirmed. The attack underscored vulnerabilities in interconnected global systems, impacting multiple sectors beyond national borders.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a widespread cyber attack disrupted critical infrastructure across Ukraine, affecting government systems, financial institutions, energy providers, and transportation hubs. The incident began with the infection of computers at Ukraine’s National Bank, state power distributor Ukrenergo, and Boryspil International Airport—the country’s largest airport. Deputy Prime Minister Pavlo Rozenko reported an inability to access government computers, posting an image of his PC displaying a disk error message urging users not to power down devices. Ransomware messages appeared on compromised systems, demanding $300 in Bitcoin to restore access to encrypted files. Analysts identified the malware as Petrwrap (or Petya), noting similarities to the WannaCry ransomware that caused global disruptions the previous month. Ukrainian state-owned aircraft manufacturer Antonov and major lender Oschadbank confirmed service disruptions, though Oschadbank assured customer data remained secure. The attack disabled ATMs, supermarket payment systems, and airport departure boards, causing operational chaos. Ukrenergo stated power supplies remained unaffected despite the intrusion.
The incident occurred hours after Colonel Maksim Shapoval, a Ukrainian defense intelligence officer, was assassinated in a Kiev car bombing—a timing that heightened tensions amid Ukraine’s Constitution Day observances. International entities including Danish shipping firm Maersk, Russian oil company Rosneft, and steelmaker Evraz also reported server disruptions, though direct links to the Ukraine attack remained unconfirmed. Ukrainian authorities historically attributed similar cyber assaults to Russia, citing the 2015 power grid attack and ongoing geopolitical strife following Russia’s 2014 annexation of Crimea. Russia denied involvement in cyber operations against Ukraine. Concurrently, the UK Parliament disclosed a separate cyber intrusion compromising parliamentary accounts, though only 1% of users were directly affected. French cybersecurity official Guillaume Poupard warned of escalating global cyber threats from state and non-state actors, emphasizing risks of espionage, sabotage, and financial fraud. The attack underscored vulnerabilities in critical infrastructure systems amid intensifying cyber warfare dynamics.