Cyber Incident Victim: Maksymum Radio
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack utilizing modified Petya malware, dubbed NotPetya, targeted Ukrainian organizations through a compromised update mechanism of widely used tax accounting software, causing widespread disruption to financial institutions, government ministries, critical infrastructure, and media outlets. The malware propagated globally via EternalBlue and credential theft exploits, permanently damaging systems under the guise of ransomware while primarily aiming to disrupt Ukrainian operations. Attribution investigations by multiple governments and security firms identified Russian military actors as responsible, with collateral damage impacting multinational corporations and estimated costs exceeding $10 billion. Ukrainian authorities halted the attack within days but faced ongoing risks from residual backdoors in the compromised software supply chain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27 with the distribution of NotPetya malware through a compromised update mechanism of M.E.Doc, a widely used Ukrainian tax accounting software. M.E.Doc’s update server pushed malicious code to approximately 1 million computers, leveraging the software’s near-universal adoption among domestic firms. The malware exploited the EternalBlue vulnerability in unpatched Windows systems and used Mimikatz to harvest credentials, enabling lateral movement across networks. Within hours, critical Ukrainian infrastructure was disrupted, including radiation monitoring systems at Chernobyl, government ministries, banks like Oshchadbank and State Savings Bank, transportation networks such as Ukrainian Railways and Kyiv Metro, and energy companies like Ukrtelecom. The malware encrypted Master File Tables and overwrote files irreversibly while displaying fake ransom demands for $300 in Bitcoin. Ukrainian authorities halted the attack’s spread by June 28 through coordinated cybersecurity efforts, though data recovery proved impossible for many victims due to the malware’s destructive design.
The incident’s global impact emerged as multinational corporations with Ukrainian operations—including Merck, Maersk, Reckitt Benckiser, and Saint-Gobain—experienced cascading disruptions, with total damages exceeding $10 billion. Forensic analysis revealed the attackers had compromised M.E.Doc’s servers as early as April 2017, implanting backdoors for sustained access. Ukrainian law enforcement raided M.E.Doc’s offices on July 4, seizing servers to prevent further attacks. The Security Service of Ukraine attributed the operation to Russian military intelligence (GRU), citing similarities to prior cyberattacks by TeleBots and BlackEnergy groups targeting Ukrainian infrastructure. International corroboration followed, with the US CIA and UK Ministry of Defence formally blaming Russia in 2018. Despite Russian denials, evidence indicated the attack deliberately targeted Ukraine during its Constitution Day holiday, crippling state functions while masquerading as financially motivated ransomware.