Cyber Incident Victim: Boryspil International Airport
Date:
Jun 2017
Location:
Ukraine
Summary
A cyber attack targeting Ukrainian infrastructure disrupted operations at Boryspil International Airport, along with the national bank, state power provider, and government systems. The incident involved ransomware identified as Petrwrap or Petya, which encrypted files and demanded Bitcoin payments for restoration, displaying similar characteristics to the earlier WannaCry malware. Critical systems including airport computers and departure boards were rendered inoperable, while financial institutions faced ATM and service disruptions. The attack coincided with broader international impacts affecting companies like Maersk and Rosneft, though direct links to Ukraine's incident were unconfirmed. Ukrainian officials historically attributed such infrastructure-targeting cyber operations to Russian actors, allegations consistently denied by Russia. The event occurred amid heightened tensions following an intelligence officer's assassination in Kyiv.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, Boryspil International Airport near Kyiv experienced a disruptive cyberattack as part of a broader offensive against Ukrainian infrastructure. The attack disabled airport computers and departure display boards, halting normal operations at Ukraine's largest aviation hub. Simultaneously, multiple Ukrainian government systems were compromised, including workstations used by Deputy Prime Minister Pavlo Rozenko and other cabinet members, who reported being locked out of their devices. Affected computers displayed error messages claiming disk corruption alongside ransom demands for $300 in Bitcoin to restore access, consistent with ransomware behavior. The National Bank of Ukraine attributed disruptions at several financial institutions to an "unknown virus," while state-owned Oschadbank confirmed service interruptions from a "hacking attack" but assured customers their data remained secure. Critical infrastructure targets extended beyond aviation to include state power distributor Ukrenergo and state-run aircraft manufacturer Antonov, though power supplies remained unaffected.
The incident occurred hours after the assassination of Ukrainian intelligence officer Colonel Maksim Shapoval in Kyiv and one day before Ukraine’s Constitution Day observances. Forensic analysis identified the malware as Petrwrap (or Petya), exhibiting technical similarities to the WannaCry ransomware that caused global disruptions the previous month. Beyond Ukraine, multinational firms Maersk and Rosneft reported unrelated IT outages attributed to cyberattacks, though direct links to the Ukrainian campaign were unconfirmed. Domestic impacts included paralyzed ATMs, disabled supermarket payment systems, and widespread government IT failures. Ukrainian authorities historically accused Russia of orchestrating cyberattacks against critical infrastructure since 2014, though no direct attribution for this incident was provided in available reporting. The attack underscored systemic vulnerabilities across Ukrainian public and private sector networks during ongoing tensions with Russia following the annexation of Crimea.