Cyber Incident Victim: National Bank of Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
A cyber attack employing ransomware identified as Petrwrap or Petya disrupted operations at Ukraine's National Bank, along with state power providers, airports, government systems, and financial institutions. The attack encrypted files and demanded Bitcoin payments, causing widespread system outages that disabled ATMs, payment systems, and government computers. Similarities to the WannaCry ransomware were noted, though power supplies remained unaffected. The incident occurred amid heightened geopolitical tensions, with Ukraine historically attributing such infrastructure attacks to state-sponsored actors, though no direct attribution was confirmed. Concurrent cyber attacks affected international entities, including a Russian oil firm and Danish shipping company, highlighting broader disruption beyond Ukrainian borders.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a widespread cyber attack disrupted critical infrastructure across Ukraine, affecting government systems, financial institutions, and transportation hubs. The National Bank of Ukraine reported an "unknown virus" impacted several unnamed Ukrainian banks and financial firms, while Oschadbank—one of the country's largest state-owned lenders—confirmed service disruptions due to a "hacking attack" but assured customer data remained secure. Simultaneously, Ukrainian Deputy Prime Minister Rozenko Pavlo stated government computers were inoperable, displaying a message claiming disks contained errors and instructing users not to power down devices. Boryspil International Airport in Kiev experienced system failures affecting computers and departure boards. Power distributor Ukrenergo was compromised, though electricity supplies remained unaffected, and state-run aircraft manufacturer Antonov also reported breaches. The attack disabled ATMs and supermarket payment terminals across the country, with infected machines displaying ransomware messages demanding $300 in Bitcoin to decrypt files. Security analysts identified the malware as Petrwrap (also called Petya), noting similarities to the WannaCry ransomware that caused global disruptions the previous month.
The incident occurred hours after Colonel Maksim Shapoval—a Ukrainian defense intelligence officer—was assassinated in a Kiev car bombing, and one day before Ukraine's Constitution Day observances. Beyond Ukraine's borders, multinational companies Maersk and Rosneft reported IT system outages attributed to cyber attacks, though direct links to the Ukrainian incident remained unconfirmed. Ukrainian authorities historically attributed multiple cyber attacks on critical infrastructure to Russian actors, including a December 2015 power grid attack that caused temporary blackouts in western Ukraine. The 2017 attack exacerbated existing tensions stemming from Russia's 2014 annexation of Crimea and support for separatist forces in eastern Ukraine, though Russia consistently denied involvement in cyber operations against Ukraine. Domestic responses included immediate system isolation and public assurances from affected entities, while international observers noted the incident's alignment with escalating global cyber threats targeting governmental and economic systems.