Cyber Incident Victim: Ministry of Energy of Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack utilizing the NotPetya malware targeted Ukrainian critical infrastructure, including the Energy Ministry, through a compromised update mechanism of widely used accounting software. Disguised as ransomware, the malware was designed to cause irreversible data destruction and system disruption, affecting energy facilities, banks, transportation, and government entities. The attack exploited EternalBlue and Mimikatz vulnerabilities to propagate across networks, temporarily disabling radiation monitoring at Chernobyl and causing international collateral damage to multinational corporations. Attribution investigations by Ukrainian authorities and international cybersecurity firms linked the operation to Russian military hackers, specifically the Sandworm group, as part of a broader pattern of cyber aggression against Ukraine. The incident resulted in billions in global economic losses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27 when a modified version of Petya malware (dubbed NotPetya) spread through compromised updates of M.E.Doc tax accounting software, which was installed on approximately 1 million Ukrainian computers. Attackers infiltrated the update servers of M.E.Doc's developer Intellect Service as early as April 2017, enabling them to distribute malicious payloads to 400,000 Ukrainian businesses that relied on the software. The malware exploited EternalBlue and Mimikatz vulnerabilities to propagate across networks, encrypting master file tables and overwriting files permanently despite displaying ransom demands for $300 in Bitcoin. Ukraine's Energy Ministry was among the primary targets, with radiation monitoring systems at Chernobyl Nuclear Power Plant disabled, along with disruptions at Boryspil International Airport, Ukrainian Railways, State Savings Bank, and multiple ministries. The attack coincided with Ukraine's Constitution Day holiday, maximizing disruption during government office closures. By June 28, Ukrainian cybersecurity specialists contained the outbreak, though irreversible damage occurred to critical systems.
The incident caused global collateral damage through multinational corporations with Ukrainian operations, including Merck & Co., Maersk, and Reckitt Benckiser, which collectively suffered over $10 billion in losses. Forensic analysis revealed NotPetya's primary function was data destruction rather than ransom collection, with Ukrainian authorities attributing the attack to Russian military hackers (GRU) based on malware signatures matching prior BlackEnergy and TeleBots campaigns against Ukraine's energy grid. On July 4, Ukrainian police seized M.E.Doc's servers after discovering persistent backdoors, while the Security Service of Ukraine (SBU) publicly identified Russian involvement by July 1. International corroboration came in February 2018 when the White House and UK Ministry of Defence formally attributed the attack to Russia, noting its alignment with hybrid warfare tactics following the 2014 Crimea annexation. Domestic recovery efforts included manual operation of Ukraine's electricity grid and full restoration of Oshchadbank's systems by July 3, though companies like FedEx subsidiary TNT Express reported ongoing disruptions for months.