Cyber Incident Victim: Example Corporation
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack utilizing modified Petya malware, dubbed NotPetya, disrupted critical infrastructure in Ukraine through a compromised update mechanism of widely used tax accounting software. The malware propagated via EternalBlue and credential theft exploits, causing irreversible file encryption and system damage across financial institutions, government ministries, energy providers, and transportation networks. While primarily targeting Ukrainian entities, the attack spread globally, impacting multinational corporations in shipping, pharmaceuticals, and manufacturing, resulting in operational paralysis and billions in damages. Attribution investigations by multiple governments and cybersecurity firms linked the attack to Russian military actors, characterizing it as state-sponsored sabotage rather than financially motivated ransomware.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks, commonly referred to as NotPetya, began on June 27, 2017, when a compromised update for the Ukrainian tax accounting software MeDoc (M.E.Doc) was distributed to its users. MeDoc, used by approximately 90% of Ukrainian businesses and installed on an estimated 1 million computers in the country, served as the primary infection vector. The malware, a modified variant of the Petya ransomware dubbed NotPetya, exploited the EternalBlue vulnerability in older Windows systems—a flaw Microsoft had patched in March 2017 but remained unaddressed on many networks. NotPetya encrypted the Master File Table of infected systems, forced reboots, and displayed a ransom demand for $300 in Bitcoin. However, forensic analysis revealed the malware was designed to cause irreversible damage by overwriting files and hard drives rather than enabling decryption, with a kill switch absent. The attack rapidly spread through Ukraine’s financial, governmental, and critical infrastructure sectors, disrupting the radiation monitoring system at Chernobyl Nuclear Power Plant, ministries, banks like Oshchadbank, metro systems, airports, and utilities such as Ukrtelecom. By June 28, 80% of infections were concentrated in Ukraine, with secondary impacts in Germany, France, Italy, Poland, Russia, the UK, the US, and Australia.
Ukrainian authorities halted the attack’s spread by June 28, though data recovery efforts continued. On July 4, 2017, Ukrainian police raided MeDoc’s offices and seized servers after discovering a backdoor in its update system, which evidence suggested had been compromised since at least May 2017. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU), linking it to prior cyber operations like the December 2016 BlackEnergy and TeleBots campaigns targeting Ukrainian energy and financial systems. International corroboration followed, with the US CIA and UK Ministry of Defence formally accusing Russia in 2018, though Russia denied involvement. The attack caused over $10 billion in global damages, affecting multinational corporations including Merck ($870 million), FedEx ($400 million), Maersk ($300 million), Reckitt Benckiser ($130 million in lost sales), and Saint-Gobain ($384 million). Ukrainian entities faced prolonged operational disruptions, with 1,500 legal entities reporting impacts to the National Police. NATO pledged enhanced cyber defense support to Ukraine, while the White House condemned the attack as "the most destructive and costly cyberattack in history" in February 2018.