Cyber Incident Victim: KP in Ukraine
Date:
Jun 2017
Location:
Ukraine
Summary
A cyberattack initially disguised as ransomware targeted Ukrainian infrastructure through a compromised update mechanism in widely used tax accounting software, causing widespread disruption to financial, energy, government, and transportation systems. The malware, identified as a destructive variant of Petya called NotPetya, leveraged EternalBlue exploits and credential theft tools to propagate across networks, permanently damaging files despite ransom demands. While primarily affecting Ukrainian entities, the attack spread globally, impacting multinational corporations and causing billions in damages. Ukrainian authorities and international intelligence agencies attributed the operation to Russian military hackers, citing prior patterns of cyber aggression and forensic evidence linking the attack to known Russian threat actors, though Russia denied involvement.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The 2017 Ukraine ransomware attacks began on June 27, 2017, when a modified version of the Petya malware, later renamed NotPetya, infected systems through a compromised update mechanism of the Ukrainian tax accounting software MeDoc (M.E.Doc). Developed by Intellect Service and used by approximately 90% of Ukrainian domestic firms, MeDoc's automatic update server delivered the malicious payload to an estimated 1 million computers. Security analysts determined the attackers had compromised MeDoc's update infrastructure as early as April or May 2017, with evidence of backdoor access installed during this period. NotPetya utilized the EternalBlue exploit—a vulnerability in older Windows operating systems that Microsoft had patched in March 2017—combined with a Mimikatz variant to harvest credentials and propagate across networks. The malware encrypted master file tables and overwrote critical files, displaying a ransom demand for $300 in Bitcoin while simultaneously destroying data beyond recovery. Ukrainian authorities reported halting the attack's spread by June 28, though forensic investigations revealed the malware contained no functional decryption mechanism, indicating its primary purpose was destructive disruption rather than financial extortion.
The attack caused widespread disruption across Ukrainian critical infrastructure, including the radiation monitoring system at Chernobyl Nuclear Power Plant, ministries, banks, metro systems, airports, and state-owned enterprises like Ukrtelecom and Ukrainian Railways. Over 80% of infections occurred in Ukraine, with secondary impacts reported in 64 countries affecting multinational corporations including Merck & Co., Maersk, FedEx's TNT Express, Reckitt Benckiser, and Saint-Gobain. The Security Service of Ukraine (SBU) attributed the attack to Russian military intelligence (GRU) based on similarities to prior cyber operations like the December 2016 Kyiv power grid outage and TeleBots/BlackEnergy campaigns. On July 4, Ukrainian police raided Intellect Service's offices, seizing servers to prevent further attacks through residual backdoors. Total damages exceeded $10 billion, with specific corporate losses including $870 million for Merck and $400 million for FedEx. The United States and United Kingdom formally attributed the attack to Russia in February 2018, citing its alignment with Kremlin destabilization efforts against Ukraine following the 2014 annexation of Crimea. Ukrainian officials characterized the incident as part of an ongoing "hybrid war" by Russia, while international cybersecurity firms confirmed the malware's surgical targeting of Ukrainian entities despite its uncontrolled global spread.