Cyber Incident Victim: China National Cereals, Oils and Foodstuffs Corporation
Date:
Jun 2017
Location:
Argentina
Summary
A ransomware attack utilizing Eternal Blue exploit code disrupted global operations, initially spreading through compromised Ukrainian tax software and a local news website. The malware encrypted systems and demanded ransom payments, impacting ports, logistics, and manufacturing facilities worldwide. COFCO Group experienced operational disruptions at its Argentine port facilities. Other affected entities included shipping firms, energy companies, and food producers, with significant congestion at major international ports and halted production lines. Security researchers noted the attack's potential state-sponsored origins due to its disruptive nature and limited financial demands, contrasting with typical ransomware objectives. The incident highlighted vulnerabilities in interconnected corporate networks, particularly those with Ukrainian operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident began on June 27, 2017, when a cyber virus originating in Ukraine spread globally, disrupting operations across multiple industries. Initial infections occurred through compromised updates for MEDoc tax accounting software widely used in Ukraine and a hacked local news website in Bakhmut, which delivered ransomware payloads. The malware rapidly propagated within corporate networks, leveraging Eternal Blue exploits believed to have been developed by the NSA. Unlike the earlier WannaCry attack, this ransomware required manual activation within networks but could spread laterally once inside organizational systems. Ukrainian organizations bore the brunt initially, with 80% of detected infections occurring there before spreading internationally through companies with Ukrainian operations.
Affected entities included shipping giant A.P. Moller-Maersk, which experienced severe disruptions at 76 global ports including Mumbai, Rotterdam, and Los Angeles, congesting cargo operations. FedEx's TNT Express division suffered significant impacts, while China's COFCO Group faced operational disruptions at its Argentine port facilities. Russian oil firm Rosneft reported serious system consequences but maintained production using backup systems. The ransomware encrypted files and demanded $300 bitcoin payments, though only 30+ ransoms were paid before German provider Posteo disabled the attackers' email contact address. Organizations that had applied recent Microsoft security patches and disabled Windows file-sharing features largely avoided infection. Containment efforts involved international cyber teams analyzing the malware's propagation methods, while Microsoft confirmed MEDoc's updater process as an initial infection vector despite the software vendor's denials. The attack's limited ransom demands and disruptive effects led some experts to assess it as a potential state-sponsored experiment in destructive cyber operations rather than financially motivated crime.