Cyber Incident Victim: Ukrhazbank
Date:
Jun 2017
Location:
Ukraine
Summary
A major cyberattack targeted Ukrainian organizations through a compromised update mechanism in widely used tax accounting software, leading to widespread disruptions across banking, government, and critical infrastructure sectors. The malware, identified as a destructive variant of Petya ransomware, propagated globally via EternalBlue exploits and credential theft tools, causing permanent data loss and operational paralysis at numerous international corporations. Ukrainian authorities and multiple Western governments attributed the incident to Russian military actors, citing its alignment with prior cyber operations against the country's infrastructure. The attack inflicted billions in damages globally, particularly affecting logistics, pharmaceutical, and energy firms with Ukrainian connections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyberattack began on 27 June 2017 with the compromise of the update mechanism for M.E.Doc, a Ukrainian tax accounting software used by approximately 90% of domestic firms. Attackers distributed malware through a malicious update pushed to M.E.Doc’s 400,000 customers, exploiting the software’s automatic update system. The malware, a modified version of Petya ransomware dubbed "NotPetya," utilized the EternalBlue exploit targeting unpatched Windows systems and Mimikatz to harvest credentials, enabling lateral movement across networks. Initial infections primarily affected Ukrainian entities, including banks (Oschadbank, Ukrsotsbank), government ministries, the Chernobyl Nuclear Power Plant’s radiation monitoring system, Boryspil International Airport, Ukrainian Railways, and energy firms. Within 24 hours, ESET estimated 80% of infections occurred in Ukraine, with Germany accounting for 9%. The malware encrypted Master File Tables and overwrote files irreversibly, despite displaying ransom demands for $300 in Bitcoin. Ukrainian authorities declared the attack contained on 28 June, though global spread had already occurred through multinational subsidiaries.
The incident caused widespread operational disruptions, with Chernobyl switching to manual radiation monitoring and Ukrainian banks temporarily suspending services. Globally, the attack impacted over 1,500 entities, including Merck & Co., Maersk, FedEx’s TNT Express, Reckitt Benckiser, and Saint-Gobain, with total damages exceeding $10 billion. Merck reported $870 million in losses, while Maersk and FedEx incurred $400 million and $300 million respectively. Ukrainian police raided M.E.Doc’s offices on 4 July, seizing servers after discovering backdoors installed as early as April 2017. Attribution investigations by Ukraine’s Security Service (SBU) linked the attack to Russian military hackers (GRU) via infrastructure overlaps with prior operations (TeleBots, BlackEnergy). The U.S. White House and UK government formally attributed NotPetya to Russia in 2018, citing its disruptive intent against Ukrainian infrastructure. No functional decryption method was recovered, and ransom payments proved futile due to the malware’s destructive design.