Threat Intelligence Assessment
NotPetya 2017 — Attribution & Defensive Implications
April 1, 2026
Key Judgments
[ HIGH CONFIDENCE ]
NotPetya was developed and deployed by Sandworm Team (GRU Unit 74455), based on shared code infrastructure with prior Sandworm tooling and operational patterns consistent with previous Ukraine-targeted campaigns.
[ HIGH CONFIDENCE ]
NotPetya was not ransomware. The absence of a functional decryption mechanism and deliberate targeting of master boot records indicates the primary objective was permanent destruction, not extortion.
[ MODERATE CONFIDENCE ]
Ukraine was the primary intended target. Global collateral damage affecting Maersk, Merck, FedEx, and others was an accepted operational risk, not the primary objective.
[ MODERATE CONFIDENCE ]
Initial access was achieved via a trojanized update to M.E.Doc, a Ukrainian accounting software package with near-universal adoption among businesses operating in Ukraine, indicating prior supply chain compromise.
Executive Summary
On 27 June 2017, a cyberattack disguised as ransomware spread across global networks and caused an estimated $10 billion in damage across 65 countries in a matter of hours. The organization behind it wasn't trying to extort money — it was trying to destroy. The primary target was Ukraine. The global devastation affecting Maersk, Merck, FedEx, and dozens of other multinationals was accepted collateral damage, not the objective. The attack has been formally attributed to Russian military intelligence with high confidence.
NotPetya entered its victims through M.E.Doc, Ukrainian tax accounting software used by nearly every business operating in Ukraine. Russian military intelligence compromised the software's update server and poisoned a legitimate update. Organizations that installed it received NotPetya. The victims did not click a phishing link — they performed a routine, trusted software update. That trust became the weapon delivery mechanism.
Once inside a network, NotPetya spread using two mechanisms in parallel. It exploited a known Windows vulnerability — one that Microsoft had patched two months earlier — to move across flat networks without any user interaction. It also harvested stored credentials from memory to authenticate into additional systems through legitimate channels. Patched networks were more resistant, but not immune. Networks without proper segmentation had no effective defense against either path simultaneously.
The payload destroyed systems at the filesystem level. On reboot, machines displayed a fake ransom note demanding Bitcoin payment. There was no working decryption key — recovery was never the point. The ransom note was theater. The actual payload was permanent, irreversible destruction.
Attribution to Russia's GRU military intelligence unit is supported by overlapping code from prior Russian operations, reused infrastructure, the operational timing on the eve of a Ukrainian national holiday, and a 2020 U.S. Department of Justice indictment naming six GRU officers directly responsible.
Threat Actor Profile
| Designation | Sandworm Team / GRU Unit 74455 / Voodoo Bear |
| Sponsorship | Russian Federation, Main Intelligence Directorate (GRU) |
| Mandate | Destructive operations supporting Russian geopolitical objectives; persistent focus on Ukrainian critical infrastructure |
| Known Ops | BlackEnergy (2015), Industroyer (2016), NotPetya (2017), Olympic Destroyer (2018) |
| Signature TTPs | Supply chain compromise, living-off-the-land, destructive wipers disguised as ransomware, credential harvesting via Mimikatz |
Incident Reconstruction
| Apr–Jun 2017 | Sandworm compromises M.E.Doc update server. Trojanized update distributed to approximately 1 million Ukrainian business users. |
| 27 Jun 10:30Z | Initial NotPetya infections observed across Ukrainian networks. Propagation begins via EternalBlue (MS17-010) and credential theft using Mimikatz. |
| 27 Jun 11:00–14:00Z | Lateral movement reaches multinational networks. Maersk, Merck, Mondelez, and FedEx subsidiaries report system failures. NotPetya overwrites master boot records — systems rendered permanently unbootable. |
| 27 Jun 14:00Z+ | Global shipping disruption confirmed. Maersk loses operational visibility across 76 ports. IT teams begin physical reinstallation of 45,000 PCs across 130 countries. |
| July 2017 | Recovery operations conclude. Maersk reports $300M in damages. Total global losses estimated at $10B+. |
Technical Indicators — MITRE ATT&CK
Supply Chain: Software — Trojanized M.E.Doc update mechanism
Malicious File — rundll32.exe execution via update process
LSASS Memory — Mimikatz credential dumping for lateral movement
Exploit Remote Services — EternalBlue (MS17-010) / SMB propagation
WMI and PsExec — credential-based propagation via legitimate admin tools, bypassing patched hosts
Disk Structure Wipe — MBR overwrite rendering systems permanently unbootable
| Phase | ID | Detail |
|---|---|---|
| Initial Access | T1195.002 | Supply Chain: Software — Trojanized M.E.Doc update mechanism |
| Execution | T1204.002 | Malicious File — rundll32.exe execution via update process |
| Credential Access | T1003.001 | LSASS Memory — Mimikatz credential dumping for lateral movement |
| Lateral Movement | T1210 | Exploit Remote Services — EternalBlue (MS17-010) / SMB propagation |
| Lateral Movement | T1047 / T1569.002 | WMI and PsExec — credential-based propagation via legitimate admin tools, bypassing patched hosts |
| Impact | T1561.002 | Disk Structure Wipe — MBR overwrite rendering systems permanently unbootable |
Implications for Defenders
- 01.
Patch MS17-010 immediately if not already applied. EternalBlue remains actively exploited years after the patch was released.
- 02.
Treat software update mechanisms as attack surface. Verify update integrity via code signing. Monitor update processes for anomalous child process creation.
- 03.
Segment networks aggressively. NotPetya's blast radius was amplified by flat network architectures. Lateral movement via SMB should never reach critical systems from workstations.
- 04.
Offline backups are not optional. Maersk recovered only because a single domain controller in Ghana happened to be offline due to a power outage during the attack. A random infrastructure failure in Africa saved a global shipping giant. That was luck, not architecture.
- 05.
Wiper malware does not negotiate. Incident response playbooks designed for ransomware are insufficient. If the master boot record is compromised, recovery is measured in weeks, not hours.
Key Takeaway
NotPetya established that a nation-state is willing to deploy a destructive cyberweapon that propagates beyond its intended target, causing massive civilian economic harm as acceptable collateral damage. The $10 billion in losses was not the goal — it was the byproduct. Any organization that still runs unpatched systems on a flat network, treats software updates as inherently trusted, or stores its backups on the same network it's trying to protect is exposed to the same propagation chain that took down global shipping in 2017. The code is a decade old. The architectural rot that let it breathe is still foundational.