Cyber Incident Victim: Novus
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack initially masquerading as ransomware targeted Ukrainian entities through a compromised update mechanism of widely used accounting software, causing widespread disruption to critical infrastructure, financial institutions, and government systems. The malware leveraged EternalBlue and Mimikatz exploits to propagate across networks, irreversibly damaging systems despite ransom demands. While Ukraine suffered the majority of infections, collateral impacts affected multinational corporations globally, with estimated damages exceeding $10 billion. Attribution investigations by multiple governments and cybersecurity firms identified Russian military involvement, characterizing the incident as a state-sponsored attack aimed at destabilization rather than financial gain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27 when a modified version of Petya malware, later termed NotPetya, propagated through a compromised update mechanism of the M.E.Doc tax accounting software developed by Intellect Service. This Ukrainian tax preparation package, installed on approximately 1 million computers nationwide and used by 90% of domestic firms, served as the primary infection vector after attackers compromised its update server. The malware exploited the EternalBlue vulnerability in unpatched Windows systems and leveraged Mimikatz to harvest credentials from memory, enabling lateral movement across networks. Upon execution, NotPetya encrypted Master File Tables and overwrote files irreversibly, masquerading as ransomware while rendering data unrecoverable despite ransom demands of $300 in Bitcoin. Initial infections crippled Ukrainian critical infrastructure, including the radiation monitoring system at Chernobyl Nuclear Power Plant, ministries, banks (Oshchadbank, State Savings Bank), utilities (Ukrtelecom), transportation networks (Kyiv Metro, Ukrainian Railways), and media outlets. The Ukrainian government declared the attack contained on June 28, though subsequent analysis revealed a backdoor installed on M.E.Doc’s servers as early as April 2017, prompting a July 4 police raid to seize compromised infrastructure.
Global entities with Ukrainian operations suffered collateral damage, including shipping firms Maersk and TNT Express, pharmaceutical company Merck & Co., law firm DLA Piper, and consumer goods manufacturer Reckitt Benckiser, which reported $130 million in lost sales. Total damages exceeded $10 billion, with Merck incurring $870 million in losses and FedEx $400 million. Ukrainian authorities attributed the attack to Russian military intelligence (GRU), citing similarities to prior cyber operations by TeleBots and BlackEnergy groups targeting Ukraine’s energy and financial sectors since 2014. The U.S. White House and UK Ministry of Defence formally accused Russia in 2018, characterizing the incident as a state-sponsored attack disguised as criminal ransomware. Russia denied involvement, despite security researchers identifying Sandworm—a hacking group linked to GRU—as responsible for infiltrating M.E.Doc’s systems. Ukrainian officials described the timing before Constitution Day as strategic, exploiting reduced staffing to maximize disruption while characterizing the event as part of an ongoing hybrid conflict following Russia’s 2014 annexation of Crimea.