Cyber Incident Victim: Government of Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
A destructive cyberattack employing NotPetya malware, masquerading as ransomware, targeted Ukrainian infrastructure through a compromised software update mechanism in a widely used tax accounting program. The attack crippled critical systems including banks, government ministries, and energy facilities, while also causing significant collateral damage to multinational corporations globally. Security analysts and Western governments attributed the operation to Russian military intelligence units, citing its precision and alignment with prior cyber campaigns against the country. The incident resulted in over $10 billion in damages across affected organizations, making it one of the most costly cyber incidents on record.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks, commonly referred to as NotPetya, began on 27 June 2017 with a malware-laden update to M.E.Doc, a widely used Ukrainian tax accounting software developed by Intellect Service. The compromised update server distributed the malicious payload to approximately 400,000 Ukrainian businesses and 1 million computers, representing 90% of domestic firms. Security analysts identified the malware as a modified variant of Petya ransomware, rebranded as NotPetya due to its destructive enhancements. Unlike typical ransomware, NotPetya employed multiple propagation mechanisms: it exploited the EternalBlue Windows vulnerability (previously used in WannaCry), leveraged Mimikatz-derived credential theft tools to spread across networks, and permanently overwrote files rather than offering feasible decryption. Initial infections concentrated in Ukraine, where 80% of cases occurred, before spreading internationally through global corporate networks with Ukrainian operations.
The attack crippled critical Ukrainian infrastructure, including the radiation monitoring system at Chernobyl Nuclear Power Plant, ministries, banks (Oshchadbank, State Savings Bank), metro systems, airports, energy firms (UkrGasVydobuvannya), and telecommunications providers (Kyivstar). Over 1,500 entities reported impacts to Ukrainian authorities. Globally, multinational corporations like Merck, Maersk, FedEx (via TNT Express), Reckitt Benckiser, Saint-Gobain, and Mondelez International suffered operational disruptions, with total damages exceeding $10 billion according to U.S. officials. Ukrainian cyber security forces contained the attack by 28 June through coordinated intervention, though data recovery proved impossible due to NotPetya’s file-wiping functionality. Subsequent investigations revealed the malware’s backdoor had been implanted in M.E.Doc’s systems as early as April-May 2017, prompting Ukrainian police to seize Intellect Service’s servers on 4 July. Attribution efforts by Ukraine’s Security Service (SBU) and international agencies linked the attack to Russian military intelligence (GRU), citing similarities to prior cyber operations by TeleBots and Sandworm groups against Ukrainian infrastructure. The U.S. and UK governments formally accused Russia of orchestrating the attack in 2018, while affected corporations faced prolonged recovery periods, with some like TNT Express still resolving disruptions months later.