Cyber Incident Victim: Borys Medical Center
Date:
Jun 2017
Location:
Ukraine
Summary
The NotPetya cyberattack targeted Ukrainian infrastructure through compromised tax software updates, deploying ransomware that exploited EternalBlue vulnerabilities to encrypt systems and disrupt operations. While masquerading as ransomware, its destructive wiper functionality permanently damaged data across government agencies, banks, energy providers, and medical facilities like Borys Medical Center, with collateral global impacts on multinational corporations. Security researchers and governments attributed the attack to Russian military intelligence (GRU's Sandworm unit), citing its focus on Ukraine and irreversible data destruction, causing over $10 billion in damages worldwide through crippled IT systems and supply chains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyberattack began on June 27, 2017, initially targeting Ukrainian entities through a compromised software update mechanism for M.E.Doc, a tax accounting program widely used by approximately 90% of Ukrainian businesses. This malware, a modified variant of the 2016 Petya ransomware, exploited the EternalBlue vulnerability in Windows SMB protocol—previously developed by the NSA and leaked in April 2017—alongside credential-harvesting tools like Mimikatz to propagate across networks. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption as government offices were minimally staffed. Critical Ukrainian infrastructure was severely impacted: radiation monitoring systems at Chernobyl Nuclear Power Plant went offline, ministries and banks including Oschadbank and PrivatBank were paralyzed, transportation systems like Kyiv Metro halted operations, and state enterprises such as Ukrtelecom and Ukrainian Railways experienced system failures. Over 1,500 Ukrainian legal entities reported infections, with ESET estimating 80% of global infections occurred in Ukraine. The malware masqueraded as ransomware but functioned as a wiper, irreversibly encrypting master boot records and overwriting files without a functional recovery mechanism despite demanding $300 Bitcoin ransoms.
The attack rapidly spread globally through multinational corporate networks with Ukrainian operations. Major international victims included shipping giant Maersk, which suffered $200-300 million in losses; pharmaceutical firm Merck, reporting $870 million in damages; FedEx subsidiary TNT Express ($400 million impact); law firm DLA Piper; advertising conglomerate WPP; and consumer goods company Reckitt Benckiser, which lost 2% of quarterly sales. The White House later assessed total damages exceeded $10 billion. Ukrainian cyber police seized M.E.Doc’s servers on July 4 after detecting ongoing backdoor access dating to at least May 2017, revealing neglected security updates since 2013 and evidence of Russian-linked compromises. Forensic analysis by ESET and Cisco Talos confirmed the operation as a coordinated state-sponsored attack attributed to Russia’s GRU military intelligence unit Sandworm, leveraging infrastructure previously used in 2016 Ukrainian power grid attacks. The U.S., UK, Australian, and EU governments formally blamed Russia in February 2018, with the U.S. Department of Justice indicting GRU officers in October 2020. Mitigation efforts included emergency patches for EternalBlue, creation of file-based “vaccines” to block encryption, and Posteo’s suspension of the attacker’s payment email account. Insurance disputes arose when Zurich American denied Mondelez International’s $100 million claim by invoking “act of war” exclusions, though the case settled confidentially in 2022.