Proprietary 2017-04-01 · 87 days ·Ransomware Wiper, Data Destruction, Denial Of Service

MeDoc updates delivered NotPetya

The update mechanism for MeDoc, a widely used Ukrainian accounting package, was compromised and used to distribute NotPetya.

Story

NotPetya entered through accounting software. Attackers compromised Intellect Service, the maker of M.E.Doc, a tax-reporting product widely used by Ukrainian businesses. Columbia's case study describes M.E.Doc as required or common enough to sit inside much of Ukraine's commercial infrastructure, making the vendor's update channel a practical route into companies that needed to file taxes.

The delivery was a poisoned software update. Customers who trusted the MeDoc updater received code that launched NotPetya on June 27, 2017. The malware presented a ransom note, but the payment path was theater: the disk damage was not reliably reversible. The mechanism was destructive first and extortionate only in appearance.

Once inside a network, NotPetya used credential theft and Windows lateral-movement tools to spread with speed. EternalBlue reached vulnerable SMB systems, while Mimikatz-style credential theft let the malware move even where EternalBlue alone was not enough. This made flat Windows networks, old operating systems, and weak segmentation fail at machine speed.

The impact escaped Ukraine. Maersk was hit through a machine in Odessa and saw ports, booking systems, PCs, and domain controllers fail across its global network; Columbia describes 17 of 76 ports affected and a rebuild of roughly 4,000 servers and 45,000 PCs. The White House later assessed total damages at about $10 billion, with Maersk, FedEx/TNT, Mondelēz, Merck, and others reporting nine-figure losses.

Affected Artifacts

MeDoc

· medoc.ua · Binary Archive

Observed: 2017-04-01 to 2017-06-27
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha256:027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

sha256:13d5006285b3f9151e7e7f98e75a99534a831510f6e6d4f1a24713004f014906

md5:71b6a493388e7d0b40c83ce903bc6b04
Evidence: mirror: welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine, mirror: microsoft.com/en-us/security/blog/2017/06/27/new-ransomware-old-techniques-petya-outbreak-originates-in-ukraine-spreads-globally, mirror: virustotal.com/gui/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, mirror: virustotal.com/gui/file/13d5006285b3f9151e7e7f98e75a99534a831510f6e6d4f1a24713004f014906 , +3 more

Affected MeDoc scope covered specific update versions distributed on or around 2017-06-27.
Columbia SIPA's NotPetya case study describes M.E.Doc as used by about one million businesses in Ukraine; this record keeps the narrower 400,000-user count already tracked for affected MeDoc installations.
Columbia SIPA cites a White House assessment of roughly $10 billion in total NotPetya damages, with nine-figure losses reported by multiple multinationals.

Incident Context

Motive: Data Destruction Disruption Espionage Initial Backdoor
Attribution: State
Cause: Build Server Compromise
Transitive: No
Actor: Nation-state
User Impact: 400000

External References

The Untold Story of NotPetya, the Most Devastating Cyberattack in Historywired.com
CISA Alert TA17-181A: Petya Ransomwarecisa.gov
US-CERT Alert TA17-181A: Petya Ransomwareus-cert.gov
ESET: The connection between the TeleBots group and the current M.E.Doc situationwelivesecurity.com
NotPetya: A Columbia University Case Studysipa.columbia.edu

Source record: proprietary/medoc/meta.yaml