Continue your mission
The most destructive cyberattack in history, a Russian GRU wiper disguised as ransomware that caused $10 billion in global damages through a Ukrainian software supply chain.
On June 27, 2017, a devastating cyberattack disguised as ransomware struck organizations worldwide, causing an estimated $10 billion in damages, making it the most destructive cyberattack in history. Initially mistaken for a variant of the Petya ransomware, analysis revealed NotPetya was a wiper designed to destroy data while masquerading as ransomware. The attack was attributed to the Russian military intelligence agency GRU (Sandworm team) and primarily targeted Ukraine, where it was timed to coincide with Ukrainian Constitution Day.
NotPetya spread globally after infecting the update servers of M.E.Doc, a Ukrainian tax accounting software used by virtually every company doing business in Ukraine, including multinational corporations.
NotPetya's initial infection vector was a compromised update to M.E.Doc software, a supply chain attack that delivered the malware directly to approximately 1 million Ukrainian computers. Once inside a network, NotPetya spread using multiple mechanisms: the EternalBlue and EternalRomance SMB exploits (same as WannaCry), Windows Management Instrumentation (WMI) remote execution, and PsExec with credentials harvested using a modified Mimikatz tool embedded in the malware.
The credential harvesting made NotPetya far more effective than WannaCry in fully patched environments. Even systems with the EternalBlue patch were vulnerable if the malware could extract administrator credentials from any machine on the network. NotPetya overwrote the master boot record (MBR) and encrypted the master file table (MFT) using a modified version of Petya's code. Critically, the encryption was irreversible: the installation ID displayed to victims was randomly generated and not linked to any decryption key, confirming NotPetya's true purpose was destruction rather than extortion.
NotPetya caused unprecedented commercial damage. Maersk lost access to all 49,000 endpoints and rebuilt its entire IT infrastructure in 10 days, describing the recovery as replacing every component simultaneously. FedEx subsidiary TNT Express suffered $400 million in damages. Merck reported $870 million in losses. The attack demonstrated that cyber operations targeting one nation can cause massive collateral damage globally through interconnected supply chains and proved that the line between cybercrime and cyberwarfare had permanently blurred.
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Written by CDA Editorial
Found an issue? Help improve this article.