NotPetya Cyberattack

In June 2017, a cyberattack known as NotPetya swept across global networks, initially targeting Ukrainian organisations before spreading worldwide. Masquerading as ransomware, NotPetya was a wiper, designed not to extort money but to destroy data and cripple systems. It caused an estimated $10 billion in damages, making it the most economically damaging cyberattack in history at the time. The attack was attributed by multiple Western governments to the Russian military intelligence agency (GRU) and is considered a landmark example of state-sponsored destructive cyber operations used as a tool of hybrid warfare.

Incident:

NotPetya was distributed primarily through a trojanised update to M.E.Doc, a widely used Ukrainian accounting software required for tax compliance. Once installed, it exploited the EternalBlue/EternalRomance vulnerabilities to spread across networks using SMB (Server Message Block) protocols. It also leveraged the Mimikatz credential-harvesting tool to extract administrator credentials and spread to additional systems. Unlike ransomware, the encryption was irreversible by design: victims could not decrypt their files even if they paid, because the malware contained no recovery mechanism. The attack spread beyond Ukraine within hours, infecting multinational companies with Ukrainian operations and entering their global IT infrastructure.

Impact:

The impact of NotPetya was catastrophic and global. Shipping giant Maersk lost an estimated $300 million, having to reinstall approximately 45,000 PCs and 4,000 servers. Pharmaceutical company Merck suffered losses of around $870 million. FedEx subsidiary TNT Express lost roughly $400 million and took months to recover. Ukrainian infrastructure was devastated: government agencies, banks, energy companies, airports, and the Chernobyl radiation monitoring system were all affected. The attack showed how deeply interconnected global supply chains are, and how destructive malware can spread far beyond its intended targets.

Attribution:

The United States, United Kingdom, European Union, Australia, Canada, and New Zealand attributed NotPetya to Sandworm, a GRU-linked advanced persistent threat (APT) group. The US Department of Justice indicted six Russian GRU officers in 2020 in connection with the attack. Russia denied involvement. The targeting of Ukrainian infrastructure during an active conflict (the Donbas war) was assessed as consistent with Russian strategic interests in destabilising Ukraine.

Lessons:

NotPetya exposed the fragility of interconnected global supply chains and the potential of software supply chain attacks. Organisations with even minor Ukrainian operations found their entire global networks compromised. The incident demonstrated that critical infrastructure, multinational corporations, and state systems can all be collateral victims of geopolitically motivated cyberattacks. It reinforced the need for rigorous patch management, network segmentation, offline backup strategies, and supply chain security.