Cyber Incident Victim: Укртелеком
Date:
Jun 2017
Location:
Ukraine
Summary
The Ukrainian telecommunications provider was disrupted by the NotPetya malware attack, which masqueraded as ransomware but primarily aimed to inflict systemic damage. The malware propagated through a compromised update mechanism in widely used accounting software, exploiting Windows vulnerabilities to encrypt data and spread across networks. This incident significantly impacted critical infrastructure sectors, including finance, transportation, and energy, temporarily disabling radiation monitoring systems and disrupting corporate and government operations. While the attack was part of a broader campaign targeting Ukrainian entities, it also caused international collateral damage. Ukrainian authorities halted the attack within days, with cybersecurity specialists focusing on data recovery while maintaining essential services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The 2017 cyberattack targeting Ukrtelecom and other Ukrainian entities began on June 27, originating from a compromised update mechanism in the MeDoc tax accounting software, which was widely utilized by approximately 90% of Ukrainian businesses. Attackers infiltrated MeDoc’s update servers, distributing a modified variant of the Petya ransomware, later termed NotPetya, which exploited the EternalBlue vulnerability in unpatched Windows systems. The malware encrypted master file tables and deployed Mimikatz-derived tools to harvest credentials from memory, enabling lateral movement across networks. Ukrtelecom, alongside critical infrastructure operators like Boryspil International Airport, Ukrainian Railways, and the Chernobyl Nuclear Power Plant’s radiation monitoring system, experienced operational disruptions. The attack coincided with Ukraine’s Constitution Day holiday, potentially maximizing impact due to reduced staffing. NotPetya’s destructive payload overwrote files irreversibly in many cases, contradicting its ransom demands for Bitcoin payments. Ukrainian authorities confirmed over 1,500 entities reported infections, with ESET estimating 80% of global infections occurred within Ukraine.
The Ukrainian government announced containment of the attack by June 28, though data recovery efforts continued. Subsequent forensic analysis revealed the attackers had implanted a backdoor in MeDoc’s update infrastructure as early as April or May 2017, leading Ukrainian police to raid MeDoc’s offices and seize servers on July 4 to prevent further attacks. The Security Service of Ukraine (SBU) attributed the operation to Russian military intelligence (GRU), citing similarities to prior cyber campaigns like the 2016 TeleBots and BlackEnergy incidents targeting Ukrainian energy and financial sectors. Globally, the malware affected multinational corporations including Maersk, Merck, and Reckitt Benckiser, causing estimated damages exceeding $10 billion. The U.S. CIA and UK government later formally accused Russia of orchestrating the attack, characterizing it as a state-sponsored sabotage operation against Ukrainian infrastructure under the guise of ransomware. Financial losses included $870 million for Merck and $400 million for FedEx’s TNT Express division, with Ukrainian entities bearing the brunt of operational disruptions.