Open main menu
Date 27-28 June 2017
Suspected actor Russian Federation (official attribution statements made by Ukraine,[1] US and UK[2])
Victims Ukrainian public and private sector (80% of affected systems);[3] multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others)
Target systems Microsoft Windows-based systems
Method The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.[4] The malware was using the EternalBlue exploit,[5] possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.[6] It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.[7]
Purpose Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;[8] the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).[9]
Result Estimated global economic losses exceeding USD 10 billion;[10] radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.[11]
Aftermath The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia.
Analysed in Scenario 04: A State’s failure to assist an international organization
Scenario 07: Leak of State-developed hacking tools

Collected by: Tomáš Minárik