Cyber Incident Victim: Sandworm
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack originating from a compromised update mechanism of a widely used Ukrainian tax software deployed NotPetya malware, masquerading as ransomware but designed to cause irreversible data destruction. The malware exploited EternalBlue and Mimikatz vulnerabilities to propagate across networks, primarily targeting Ukrainian critical infrastructure—including banks, government ministries, energy firms, and the Chernobyl nuclear plant’s radiation monitoring system—while also spreading globally, impacting multinational corporations like Maersk, Merck, and FedEx. The attack inflicted billions in damages through operational disruptions and permanent data loss. Attribution by multiple governments and cybersecurity firms identified Sandworm, a Russian military-linked group, as responsible, leveraging the intrusion to destabilize Ukraine amid ongoing geopolitical tensions. Despite ransom demands, decryption was impossible due to the malware’s destructive core functionality.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks, beginning on June 27, involved a modified variant of the Petya malware, later termed NotPetya or Nyetna, which was distributed through a compromised update mechanism of the widely used Ukrainian tax accounting software M.E.Doc. Developed by Intellect Service, M.E.Doc served approximately 400,000 Ukrainian businesses, representing 90% of domestic firms, with its update server pushing the malicious payload to an estimated 1 million computers. Security analysts determined the attackers had compromised M.E.Doc’s update infrastructure as early as April or May 2017, embedding a backdoor that enabled the deployment of NotPetya. The malware exploited the EternalBlue vulnerability in unpatched Windows systems—a flaw previously leveraged in the WannaCry attack—and used Mimikatz-derived techniques to harvest credentials from memory, facilitating lateral movement across networks. NotPetya’s primary function was destructive: it irreversibly encrypted master file tables and overwrote files, rendering recovery impossible despite ransom demands of $300 in Bitcoin. The attack coincided with Ukraine’s Constitution Day holiday, maximizing disruption as government offices were minimally staffed.
Ukraine suffered the most severe impacts, with 80% of infections affecting critical infrastructure including banks (Oschadbank, Ukrsotsbank), ministries, energy firms (DTEK), transportation systems (Ukrainian Railways, Kyiv Metro), and the Chernobyl Nuclear Power Plant’s radiation monitoring system. Global entities with Ukrainian operations or network connections also experienced collateral damage, including Maersk, Merck & Co., FedEx’s TNT Express, Reckitt Benckiser, and Saint-Gobain, resulting in cumulative losses exceeding $10 billion. Ukrainian authorities halted the attack’s spread by June 28 through coordinated efforts with cybersecurity firms. On July 4, police raided Intellect Service’s offices, seizing servers to prevent further attacks via residual backdoors. Attribution investigations by Ukraine’s Security Service (SBU) and firms like ESET linked the attack to the TeleBots group, an offshoot of the BlackEnergy actors responsible for prior Ukrainian power grid disruptions. The SBU asserted Russian state involvement, citing similarities in tactics and infrastructure. In 2018, U.S. and UK governments formally attributed NotPetya to Russia’s GRU, characterizing it as a state-sponsored cyberattack masquerading as criminal ransomware. Intellect Service faced criminal liability for negligence after ignoring prior security warnings about its vulnerable update systems.