Cyber Incident Victim: NotPetya ransomware
Date:
Jun 2017
Location:
Ukraine
Summary
The NotPetya ransomware attack originated through a compromised update mechanism of Ukrainian tax accounting software, MeDoc, enabling rapid propagation via EternalBlue and Mimikatz exploits. Primarily targeting Ukraine's critical infrastructure—including banks, ministries, and energy facilities—it disrupted operations at Chernobyl's radiation monitoring system and spread globally, affecting multinational corporations in shipping, pharmaceuticals, and logistics. Designed to inflict permanent data destruction rather than extortion, the malware caused billions in damages. Western intelligence agencies attributed the attack to Russian military hackers, citing its alignment with prior cyber operations against Ukrainian infrastructure amid ongoing geopolitical tensions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The NotPetya ransomware attack began on 27 June 2017, initially targeting Ukrainian organizations through a compromised update mechanism of the M.E.Doc tax accounting software developed by Intellect Service. This software, used by approximately 90% of Ukrainian businesses, served as the primary infection vector when attackers compromised its update server to distribute malicious payloads. The malware exploited the EternalBlue vulnerability in unpatched Windows systems—a flaw Microsoft had patched in March 2017—and leveraged Mimikatz to harvest credentials from memory, enabling lateral movement across networks. Unlike typical ransomware, NotPetya irreversibly encrypted or overwrote files on infected systems, rendering data unrecoverable even if ransom demands were met. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption as government offices were minimally staffed. Within hours, critical Ukrainian infrastructure was compromised, including banks (Oschadbank, Ukrsotsbank), ministries, metro systems (Kyiv Metro), energy firms (DTEK), telecommunications providers (Kyivstar), and the Chernobyl Nuclear Power Plant’s radiation monitoring system. By 28 June, Ukrainian authorities claimed to have halted the attack’s spread, though recovery efforts continued for weeks.
The incident rapidly escalated into a global cyberattack due to multinational corporations with Ukrainian operations or network connections. Major international companies affected included shipping firm Maersk, pharmaceutical giant Merck & Co., logistics provider FedEx (via TNT Express), consumer goods manufacturer Reckitt Benckiser, and law firm DLA Piper. Merck reported $870 million in damages, while Maersk incurred $300 million in losses and FedEx $400 million. Total global damages exceeded $10 billion according to U.S. Homeland Security assessments. Ukrainian police raided Intellect Service’s offices on 4 July 2017, seizing servers after discovering backdoors in M.E.Doc’s update system dating to April-May 2017. Attribution investigations by Ukraine’s Security Service (SBU) and cybersecurity firms ESET and Cisco Talos linked the attack to the Russian military-affiliated TeleBots group, citing similarities to prior operations like the 2016 Kyiv power grid hack. The U.S. and UK governments formally attributed NotPetya to Russia’s GRU in 2018, noting its alignment with geopolitical tensions following Russia’s 2014 annexation of Crimea. Despite Russian denials, evidence indicated deliberate targeting of Ukrainian infrastructure, with collateral global damage resulting from the malware’s uncontrolled propagation through shared network pathways.