NotPetya: The Most Destructive Cyberattack in History

NotPetya: The Most Destructive Cyberattack in History

Table of Contents

The Supply Chain Entry Point

On June 27, 2017 - just six weeks after WannaCry - a new piece of malware began spreading from Ukraine outward to the rest of the world. It looked like ransomware. It encrypted files and displayed a ransom demand. But NotPetya was something far more destructive: a wiper disguised as ransomware, delivered through a compromised software update.

The attack vector was M.E.Doc, a Ukrainian accounting software package used by approximately 80% of Ukrainian businesses for tax reporting. The software was mandatory for companies filing taxes with the Ukrainian government. This made it a high-value target - compromising M.E.Doc meant compromising virtually every business operating in Ukraine.

The attackers did not need to find vulnerabilities in thousands of different organizations. They needed to compromise one software vendor's update mechanism. That single point of leverage gave them access to every M.E.Doc customer simultaneously.

The M.E.Doc Compromise

Investigators later determined that the attackers had compromised M.E.Doc's update infrastructure months before the attack. The exact method of initial compromise is debated, but the result was clear: the attackers gained the ability to push malicious updates through M.E.Doc's legitimate update channel.

graph TD
    subgraph "Supply Chain Attack Vector"
        A[Attacker Compromises M.E.Doc Update Server] --> B[Malicious Update Pushed]
        B --> C[M.E.Doc Software Auto-Updates]
        C --> D[NotPetya Payload Delivered to All Customers]
        D --> E[80% of Ukrainian Businesses Infected]
        E --> F[Lateral Movement Beyond Ukraine]
    end
    subgraph "Why It Worked"
        G[Trusted Software Vendor]
        H[Mandatory for Tax Filing]
        I[Automatic Updates Enabled]
        J[Code Signing Bypassed]
    end

The M.E.Doc supply chain attack - one compromised vendor infected an entire country

At least three poisoned updates were pushed between April and June 2017. The final payload, delivered on June 27, contained the NotPetya wiper. Because the update came through a trusted channel and was signed with M.E.Doc's legitimate certificates, endpoint security tools did not flag it as malicious.

Propagation Tools

Once NotPetya established a foothold via M.E.Doc, it used multiple techniques to spread laterally within networks. It employed a modified version of the EternalBlue exploit (the same SMBv1 vulnerability used by WannaCry), but it also had backup propagation methods that made it far more effective.

NotPetya included a customized version of Mimikatz, a tool that extracts plaintext passwords and credential hashes from Windows memory. After landing on a single machine, NotPetya would harvest every credential available - local administrator passwords, domain credentials, and service account passwords. It then used these credentials to authenticate to other machines via Windows Management Instrumentation (WMI) and PsExec, standard Windows administrative tools.

graph TD
    subgraph "NotPetya Lateral Movement"
        A[Initial Infection via M.E.Doc] --> B[Mimikatz Credential Harvest]
        B --> C[Extract Plaintext Passwords]
        B --> D[Extract NTLM Hashes]
        C --> E[Spread via WMI]
        C --> F[Spread via PsExec]
        D --> E
        D --> F
        A --> G[EternalBlue SMBv1 Exploit]
        E --> H[New Machine Infected]
        F --> H
        G --> H
        H --> B
    end

NotPetya lateral movement - credentials plus exploits created unstoppable propagation

This multi-vector approach meant that even fully patched systems could be compromised. If a single machine on the network had cached domain administrator credentials, NotPetya could extract those credentials and use them to authenticate to every other machine in the domain - regardless of patch status. EternalBlue was just the backup option.

Wiper, Not Ransomware

NotPetya displayed a ransom screen demanding $300 in Bitcoin, similar to WannaCry. But security researchers quickly determined that the encryption was irreversible. The malware overwrote the Master Boot Record (MBR) with its own boot loader and encrypted the Master File Table (MFT) of the NTFS file system. The "installation ID" displayed on the ransom screen was randomly generated - it had no cryptographic relationship to the encryption keys used. Even if a victim paid the ransom, there was no mechanism to decrypt their files.

This was a deliberate design choice. NotPetya was not designed to make money. It was designed to destroy data while maintaining plausible deniability as a criminal ransomware operation. The ransom demand was camouflage.

The email address listed for ransom communication (wowsmith123456@posteo.net) was hosted by the German email provider Posteo, which shut down the account within hours of the attack beginning. Even the rudimentary payment mechanism was immediately disabled, confirming that ransom collection was never the objective.

Corporate Devastation

NotPetya caused an estimated $10 billion in total damages worldwide, making it the most financially destructive cyberattack in history. The damage was not limited to Ukrainian companies. Any multinational corporation with operations in Ukraine - and therefore running M.E.Doc on its network - was a potential victim. Once NotPetya entered through the Ukrainian office, it spread across the global corporate network.

The damage toll included: Maersk (the world's largest shipping company) - $300 million. Merck (pharmaceutical giant) - $870 million. FedEx/TNT Express - $400 million. Mondelez (Cadbury, Oreo, Toblerone) - $188 million. Reckitt Benckiser - $129 million. Saint-Gobain (French construction materials) - $384 million.

These numbers represent direct costs: IT recovery, lost revenue during downtime, and rebuilding infrastructure. They do not capture the indirect costs of disrupted supply chains, missed deadlines, and lost customer confidence.

The Maersk Case Study

Maersk's experience illustrates the scale of destruction. The company handles approximately 20% of global shipping container traffic. When NotPetya hit, it destroyed virtually every Windows system in the company. Maersk lost its entire Active Directory infrastructure - the directory service that manages user accounts, permissions, and network resources for the entire organization.

The company was saved by a single domain controller in Ghana that had been offline during the attack due to a power outage. That one surviving copy of Active Directory allowed Maersk to rebuild its infrastructure. Without it, the company would have had to recreate its entire IT environment from scratch - a process that could have taken months.

Even with the Ghana backup, recovery took ten days. During that time, Maersk operated its global shipping operations using personal cell phones, WhatsApp messages, and handwritten notes. The company reinstalled 45,000 PCs, 4,000 servers, and 2,500 applications. Maersk's chair later called it a "very significant wake-up call."

Attribution to Sandworm

Multiple governments attributed NotPetya to the Russian military intelligence agency GRU, specifically a unit known as Sandworm (also tracked as Unit 74455 of the GRU's Main Center for Special Technologies). The United States, United Kingdom, Australia, Canada, New Zealand, and the European Union all issued formal attributions.

graph TD
    subgraph "Sandworm Attack History"
        A[2015: Ukraine Power Grid Attack 1] --> B[2016: Ukraine Power Grid Attack 2]
        B --> C[2017: NotPetya]
        C --> D[2018: Olympic Destroyer - Pyeongchang]
        D --> E[2019: Georgian Web Defacements]
        E --> F[2020: Sandworm Indictments]
    end
    subgraph "Context"
        G[Russia-Ukraine Conflict Since 2014]
        H[Ukraine as Cyber Testing Ground]
    end

Sandworm operations timeline - NotPetya was part of a sustained campaign against Ukraine

NotPetya was part of a broader pattern of Russian cyberattacks against Ukraine. Sandworm had previously conducted attacks on the Ukrainian power grid in December 2015 and December 2016, causing blackouts affecting hundreds of thousands of people. NotPetya represented an escalation - from disrupting specific infrastructure to attempting to cripple an entire country's economy.

In October 2020, the US Department of Justice indicted six GRU officers for their roles in NotPetya and other Sandworm operations. The indictees remain at large in Russia.

The Supply Chain Attack Legacy

NotPetya demonstrated that supply chain attacks could be catastrophically effective. By compromising one software vendor, the attackers reached every customer of that vendor simultaneously. The SolarWinds attack in 2020 - where Russian intelligence compromised the Orion network monitoring software used by 18,000 organizations including US government agencies - followed the same playbook three years later.

The lesson for organizations is uncomfortable: you are only as secure as your least secure vendor. Every piece of software that auto-updates is a potential entry point. Every third-party service with network access is a potential bridge into your environment. Supply chain security requires verifying not just your own systems, but the security posture of every vendor in your software and service chain.

For security professionals, understanding how attacks like NotPetya propagate through networks is essential knowledge. The BLEShark Nano supports network reconnaissance during authorized assessments, helping identify the wireless devices and access points that form the edges of your network - the same edges where lateral movement begins.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment