Home/Threat Actor/NotPetya
Threat Actor

NotPetya

notpetya · russia_apt_sandworm · active since 2017-05

NotPetya (canonical naming with industry alternatives ExPetr / Petya.A / PetrWrap / Netya / Nyetya / EternalPetya per Kaspersky + Cisco Talos + ESET + multiple convergent analyses.

cluster-defining destructive cyberweapon disguised as ransomware) is Sandworm Team's (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard, curated separately as sandworm_team parent operator) most economically destructive cyberweapon, the most economically destructive cyberattack in history per White House $10B+ damage assessment per Tom Bossert former US Homeland Security advisor per Wired report.

deployed June 27, 2017 on eve of Ukrainian Constitution Day (June 28) via cluster-defining M.E.Doc Ukrainian tax/ accounting software supply chain compromise (M.E.Doc / Medok mandatory software used by ~80% of Ukrainian businesses developed by small family-run Linkos Group led by Olesya Linnik.

Sandworm pre-compromised M.E.Doc update servers months prior via Linkos's 4+ years of neglected server security per Ukrainian cybercrime unit July 2017 Intellect Services seizure analysis showing no security patches + evidence of Russian presence + several compromised employee accounts.

May 18, 2017 XData ransomware test run established M.E.Doc update channel viability)

standalone malware platform cluster paralleling blackenergy + industroyer + olympic_destroyer in Sandworm-platform-family cell; rapid 4-vector propagation tradecraft integrating EternalBlue (CVE-2017-0144 NSA-developed SMBv1 RCE released by Shadow Brokers April 14, 2017 + patched by Microsoft MS17-010/KB4013389 March 14, 2017) + EternalRomance (CVE-2017-0145 paired NSA SMBv1 RCE) + Mimikatz (LSASS credential dumping for lateral movement) + WMI (Windows Management Instrumentation lateral execution) + PSExec (sysadmin utility lateral execution)

destructive payload encrypts Master Boot Record + file system table + displays Bitcoin ransom demand but no functional decryption mechanism existed , pure destructive cyberweapon disguised as ransomware; impact metrics ~80% infections in Ukraine + Germany 9% second-most affected + 65+ countries impacted (Kaspersky-recorded infections France + Germany + Italy + Poland + UK + US with majority Russia + Ukraine), 80+ Ukrainian initial targets including National Bank of Ukraine, Maersk Line $200-300M lost revenues (canonical recovery narrative includes powerless server in Ghana accidentally saving company), FedEx TNT Express European subsidiary $400M business impact, Merck pharmaceutical substantial losses, Mondelez + Reckitt Benckiser + several French companies + Pennsylvania hospital, Ukrainian ministries + banks + metro systems affected, Chernobyl Nuclear Power Plant radiation monitoring system offline, boomerang effect infected Russian state oil company Rosneft demonstrating destructive cyberweapon collateral scope.

attribution chain via February 2018 joint US/UK formal attribution to Russia GRU Unit 74455 + ESET October 11, 2018 canonical "New TeleBots backdoor: First evidence linking Industroyer to NotPetya" disclosure by Anton Cherepanov + Robert Lipovsky establishing direct codebase link between NotPetya + TeleBots backdoor + 2016 Industroyer Ukraine power grid backdoor (Sandworm-platform-family code coherence) + US DOJ October 15, 2020 Scott W. Brady indictment of 6 GRU Unit 74455 officers.

signature tradecraft includes cluster-defining supply chain compromise via M.E.Doc, cluster-defining fake- ransomware-disguising-destructive-wiper disguise pattern, cluster-defining rapid 4-vector lateral propagation, eve-of-Ukrainian-Constitution-Day politically-motivated timing, TeleBots backdoor framework code link to 2016 Industroyer + 2018 Olympic Destroyer.

Andy Greenberg WIRED reporting + canonical Sandworm book (2019) canonical NotPetya narrative chronicle including the Linkos Group ground-zero context + Maersk recovery narrative + Sang-jin Oh IT perspective + $10B damage scale.

cluster fills the most economically destructive slot in Sandworm- platform-family chronology: BlackEnergy 2015 - Industroyer 2016 - NotPetya 2017 - Industroyer2 2022.

continued industry reference status as canonical "most economically destructive cyberattack in history" + cluster-defining supply chain compromise tradecraft cited in essentially all subsequent supply chain attack + destructive cyberweapon industry analyses through 2017-2026 period.

russia_apt_sandworm confidence: high 19 aliases
Sigma rules201 YARA rules49 Live IOCs15 CVEs exploited5

Profile

NotPetya (canonical naming with industry alternatives ExPetr / Petya.A / PetrWrap / Netya / Nyetya / EternalPetya per multiple analyses.

cluster-defining destructive cyberweapon disguised as ransomware deployed June 27, 2017) is Sandworm Team's most economically destructive cyberweapon, the most economically destructive cyberattack in history per White House $10B+ damage assessment (Tom Bossert former US Homeland Security advisor per Wired). Russian state-sponsored APT attribution via February 2018 joint US/UK formal attribution to GRU Unit 74455 (Sandworm) + ESET October 2018 TeleBots backdoor codebase link to 2016 Industroyer + US DOJ October 15, 2020 indictment of 6 GRU officers. Standalone malware platform cluster paralleling blackenergy + industroyer + olympic_destroyer in the Sandworm-platform-family cell distinct from sandworm_team parent operator cluster. Operational attack architecture: (1) M.E.Doc supply chain pre-compromise (months prior): M.E.Doc (Medok) Ukrainian tax/accounting software used by ~80% of Ukrainian businesses, developed by small family-run Linkos Group (Olesya Linnik). Sandworm pre-compromised M.E.Doc update servers via Linkos's reportedly 4+ years of neglected server security per Ukrainian cybercrime unit July 2017 Intellect Services seizure. (2) May 18, 2017 XData test run via M.E.Doc update channel established viability. (3) June 27, 2017 NotPetya deployment (eve of Ukrainian Constitution Day June 28), initial mass infection via M.E.Doc software update mechanism.

(4) Rapid 4-vector propagation
  • EternalBlue (CVE-2017-0144 NSA SMBv1 RCE released by Shadow Brokers April 2017, patched in Microsoft MS17-010 March 2017)
  • EternalRomance (paired NSA SMBv1 RCE)
  • Mimikatz (LSASS credential dumping for lateral movement)
  • WMI (Windows Management Instrumentation lateral execution)
PSExec (sysadmin utility lateral execution) (5) Destructive payload
  • Master Boot Record (MBR) overwrite/encryption.
  • File system table (NTFS) encryption.
  • Bitcoin ransom demand display (no functional decryption mechanism, pure cyberweapon disguise) Impact metrics:.
  • $10B+ White House damage assessment per Tom Bossert per Wired.
  • 80% Ukraine infections per ESET (Germany 9% second-most affected)
  • 65+ countries affected.
  • Maersk Line $200-300M lost revenues (canonical Maersk recovery narrative, powerless server in Ghana accidentally saved company)
  • FedEx TNT Express $400M business impact.
  • Merck + Mondelez + Reckitt Benckiser substantial losses.
  • National Bank of Ukraine + 80+ Ukrainian initial targets.
  • Chernobyl radiation monitoring offline.
  • Boomerang effect: infected Russian state oil Rosneft per Control Engineering Signature operational tradecraft:.
  • M.E.Doc supply chain compromise (cluster- defining): cluster-defining tradecraft, single compromised software update infecting 80% of Ukrainian businesses.
  • Fake ransomware disguise (signature): encrypted MBR + file system table + Bitcoin demand show, but no functional decryption mechanism, destructive cyberweapon disguised as ransomware.
  • Rapid 4-vector propagation (signature): EternalBlue + EternalRomance + Mimikatz + WMI + PSExec.
  • Eve-of-Ukrainian-Constitution-Day timing (signature): politically-motivated attack against Ukrainian national identity per Wikipedia experts.
  • TeleBots backdoor framework code link to 2016 Industroyer per ESET October 2018, Sandworm-platform- family codebase coherence.
  • Boomerang effect on Russian state oil Rosneft (signature): accidental Russia infection demonstrates destructive cyberweapon collateral damage scope The cluster fills the most economically destructive slot in Sandworm-platform-family chronology: BlackEnergy 2015.
  • Industroyer 2016.
  • NotPetya 2017.
  • Industroyer2 2022. Operationally signature for cluster-defining supply chain compromise tradecraft + cluster-defining fake-ransomware-disguising- destructive-wiper pattern + cluster-defining White House $10B+ "most economically destructive cyberattack in history" industry baseline reference.

Aliases

19
notpetyanot petyanotpetya_malwarenotpetya_attackexpetrexPetrpetya_apetrwrapnetyanyetyaeternalpetyagoldeneyenotpetya june 2017 ukrainenotpetya $10 billion damagesnotpetya m.e.doc supply chainnotpetya medok linkosnotpetya eternalbluenotpetya wiper fake ransomwaremost damaging cyberattack history

Notable Campaigns

11
2020US DOJ Indictment of 6 GRU Unit 74455 Officers (October 15, 2020)
2018US/UK Joint Formal Attribution (February 2018)
2018ESET TeleBots - Industroyer - NotPetya Codebase Link (October 11, 2018)
2017-2026Continued Industry Reference Status (2017-2026)
2017-2018White House $10B+ Damage Assessment (Tom Bossert Wired)
2017M.E.Doc Supply Chain Pre-Compromise (Pre-May 2017)
2017XData Ransomware Test Run via M.E.Doc (May 18, 2017)
2017EternalBlue Shadow Brokers Release + Microsoft MS17-010 Patch (Spring 2017)
2017NotPetya Deployment (June 27, 2017)
2017NotPetya Global Corporate Impact (2017)
2017Ukrainian Cybercrime Unit Intellect Services Server Seizure (July 2017)

Attribution & Reporting

Attributed by
ESET WeLiveSecurity (canonical TeleBots - Industroyer - NotPetya codebase link disclosure, Anton Cherepanov + Robert Lipovsky October 11 2018)Mandiant / Google Cloud Threat Intelligence Group (canonical APT44 Sandworm tracking)Symantec (NotPetya technical analysis + Sandworm verification)Kaspersky GReAT (canonical ExPetr / Petya technical analysis June 27 2017)Cisco Talos (canonical Nyetya analysis with code links to BadRabbit + Olympic Destroyer)Andy Greenberg (canonical WIRED reporting + Sandworm book 2019, most authoritative NotPetya narrative chronicle)White House (Tom Bossert former Homeland Security advisor, canonical $10B+ damage assessment)US Department of Justice (October 15 2020 indictment of 6 GRU Unit 74455 officers per Scott W. Brady)UK Government (February 2018 joint formal attribution)US Government (February 2018 joint formal attribution)CERT-UA Ukrainian Computer Emergency Response Team (canonical incident response)Microsoft Security Response Center (KB4013389 / MS17-010 EternalBlue patch March 2017)Microsoft Threat Intelligence Center (Seashell Blizzard canonical Sandworm tracking)CrowdStrike (Voodoo Bear canonical Sandworm tracking)Maersk Line (corporate disclosure of $200-300M losses + canonical "Sang-jin Oh" IT recovery narrative)FedEx (corporate disclosure of $400M TNT Express business impact)Merck (corporate disclosure of substantial pharmaceutical losses)Mondelez International (corporate disclosure)Reckitt Benckiser (corporate disclosure)Linkos Group / Olesya Linnik (M.E.Doc canonical supply chain context)Ukrainian cybercrime unit (July 2017 Intellect Services / M.E.Doc server seizure)
Key reporting
reportESET WeLiveSecurity (Anton Cherepanov + Robert Lipovsky): New TeleBots backdoor, First evidence linking Industroyer to NotPetya (October 11, 2018), canonical codebase link disclosure
reportAndy Greenberg (WIRED): The Untold Story of NotPetya, The Most Devastating Cyberattack in History + canonical Sandworm book (2019)
reportCisco Talos: Nyetya canonical analysis with code links to BadRabbit + Olympic Destroyer
reportKaspersky GReAT: ExPetr / Petya canonical technical analysis (June 27, 2017)
reportSymantec: NotPetya technical analysis + Sandworm verification
reportMicrosoft Threat Intelligence Center: Sandworm canonical tracking + MS17-010 / KB4013389 patch documentation
reportMandiant / Google Cloud Threat Intelligence Group: APT44 Sandworm canonical tracking
reportCrowdStrike: Voodoo Bear canonical tracking
reportWhite House (Tom Bossert former Homeland Security advisor): $10B+ damage assessment per Wired report
reportUS Department of Justice (Scott W. Brady): October 15, 2020 indictment of 6 GRU Unit 74455 officers
reportUK Government + US Government: Joint February 2018 formal attribution
reportCERT-UA Ukrainian Computer Emergency Response Team: canonical incident response analysis
reportUkrainian Cybercrime Unit: July 2017 Intellect Services / M.E.Doc server seizure analysis
reportLinkos Group / Olesya Linnik: M.E.Doc context (company denied being perpetrator while acknowledging victim status)
reportMaersk Line + FedEx + Merck + Mondelez + Reckitt Benckiser: corporate disclosure of financial impact
reportMITRE ATT&CK Software S0368: NotPetya
reportMalpedia Software Profile: NotPetya

Operational

State sponsor

Russian state-sponsored APT, specifically Sandworm Team (GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Dragos ELECTRUM, curated separately as sandworm_team parent operator cluster). Attribution chain: (1) February 2018 joint US/UK formal attribution: US and UK governments officially attributed NotPetya to Russia's GRU Unit 74455 (Sandworm) per multiple government statements. Per Tech2Geek + Grokipedia: "In February 2018, the U.S. and U.K. officially attributed NotPetya to Russia's GRU, specifically Unit 74455, Sandworm." Joint formal attribution was operationally significant, most prominent state-on- state cyber attribution to that point.

(2) ESET October 11, 2018 TeleBots
  • Industroyer.
  • NotPetya codebase link: ESET (Anton Cherepanov + Robert Lipovsky) published "New TeleBots backdoor: First evidence linking Industroyer to NotPetya." Operationally established direct codebase connection between NotPetya backdoor + TeleBots backdoor + 2016 Industroyer Ukraine power grid backdoor, Sandworm- platform-family code coherence. (3) US DOJ October 15, 2020 indictment: 6 GRU Unit 74455 officers indicted including for NotPetya per Scott W. Brady. Per Tech2Geek: "In October 2020, the U.S. indicted six GRU officers." (4) Andy Greenberg WIRED + Sandworm book canonical chronicle: Andy Greenberg's investigative reporting (WIRED 2017-2018 + book "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers" 2019) operationally established canonical NotPetya + Sandworm narrative including M.E.Doc supply chain compromise, Linkos Group ground-zero context, $10B damage scale. Operational mission objective + impact: Per Wired + Tech2Geek + Zoho + multiple convergent analyses: NotPetya was a destructive cyberweapon disguised as ransomware with operational mission of causing maximum economic and infrastructural disruption to Ukraine, eve-of-Ukraine-Constitution-Day (June 28) timing indicates politically-motivated attack against Ukrainian national identity per Wikipedia experts. Operational fact pattern: encrypted Master Boot Record + file system table + demanded Bitcoin ransom payment, but no functional decryption mechanism existed, ransomware appearance was operational disguise for pure destructive cyberweapon (per multiple analyses including Kaspersky + Symantec + Talos).
Impact metrics
  • White House $10B+ damage assessment per Tom Bossert former Homeland Security advisor per Wired.
  • 80% of infections in Ukraine per ESET June 28, 2017 estimate (Germany 9% second-most affected)
  • 65+ countries affected per Zoho Workplace.
Notable corporate victims with documented losses
  • Maersk Line: $200-300M lost revenues per Maersk (later disclosed in earnings)
  • FedEx (TNT Express European subsidiary): ~$400M business impact.
  • Merck pharmaceutical: substantial losses.
  • Mondelez International: substantial losses.
  • Reckitt Benckiser: substantial losses.
  • National Bank of Ukraine + 80+ initial Ukrainian targets per Kaspersky.
  • Chernobyl Nuclear Power Plant radiation monitoring system went offline per Wikipedia + Tech2Geek.
  • Even infected Russian state oil company Rosneft per Control Engineering, accidental boomerang effect.
  • Ukrainian ministries + banks + metro systems affected per Tech2Geek Operational attack architecture: Per multiple convergent analyses: (1) M.E.Doc supply chain compromise (months prior): M.E.Doc (Medok) is mandatory Ukrainian tax/accounting software used by ~80% of Ukrainian businesses, developed by small family-run Linkos Group led by Olesya Linnik. Sandworm pre-compromised M.E.Doc update servers via insufficient security, Linkos Group servers reportedly not updated for 4+ years with no security patches per Ukrainian cybercrime unit July 2017 seizure analysis. (2) May 18, 2017 XData test run: Sandworm pushed XData ransomware variant through M.E.Doc update channel as operational test for full deployment per Tech2Geek. (3) June 27, 2017 NotPetya deployment: NotPetya malware released via M.E.Doc update mechanism on eve of Ukrainian Constitution Day (June 28). Initial infection of thousands of Ukrainian organizations via software update.
(4) Rapid 4-vector propagation
  • EternalBlue (CVE-2017-0144): NSA-developed SMB exploit released by Shadow Brokers April 14, 2017 + previously used by WannaCry May 2017.
  • EternalRomance: paired NSA SMB exploit.
  • Mimikatz: credential-stealing tool for lateral movement.
  • WMI (Windows Management Instrumentation): legitimate Windows admin protocol.
PSExec: legitimate sysadmin utility (5) Destructive payload execution
  • Master Boot Record (MBR) overwrite/encryption.
  • prevents Windows boot.
  • File system table encryption.
  • prevents file recovery.
  • Bitcoin ransom demand display (no functional decryption mechanism)
  • Permanent data loss + system unusability Per Microsoft + multiple analyses: EternalBlue vulnerability had been patched by Microsoft KB4013389 MS17-010 in March 2017 for supported Windows versions and May 2017 for unsupported versions (Windows XP) in wake of WannaCry, many enterprises had not yet patched at NotPetya time despite WannaCry warning. The cluster represents Sandworm's most economically destructive cyberweapon, generational successor in Sandworm-platform-family chronology following BlackEnergy 2015 + Industroyer 2016, preceding Industroyer2 2022.
Motivations
most_economically_destructive_cyberattack_in_history_capability_demonstration, ukrainian_critical_infrastructure_disruption_via_supply_chain_attack, eve_of_ukrainian_constitution_day_politically_motivated_timing, sandworm_destructive_cyberweapon_disguised_as_ransomware, cluster_defining_m_e_doc_supply_chain_compromise_tradecraft, rapid_4_vector_propagation_eternalblue_eternalromance_mimikatz_wmi_psexec, fake_ransomware_no_functional_decryption_pure_cyberweapon, global_economic_disruption_via_initial_ukraine_targeting, boomerang_effect_demonstration_infecting_russian_state_oil_rosneft
Sectors
ukrainian_businesses_using_m_e_doc_tax_accounting_softwarecritical_infrastructure_operatorsshipping_logisticsexpress_deliverypharmaceuticalconsumer_goodsbanking_financialgovernment_ministriesmetro_transit_systemsnuclear_power_plants_monitoringstate_oil_companieshospitalsglobal_enterprise_with_ukraine_operations
Regions
ukrainegermanyfranceunited_kingdomunited_statesitalypolanddenmarkrussiaglobal_65_plus_countries

Techniques Used

60
T1003T1003.001T1003.002T1003.003T1005T1010T1014T1016T1018T1021T1021.002T1021.003T1021.006T1027T1027.002T1027.005T1033T1036T1036.005T1047T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1068T1069T1069.001T1069.002T1070T1070.004T1071T1071.001T1078T1080T1082T1083T1087T1087.001T1087.002T1090T1106T1110T1129T1133T1134T1140T1190T1195T1195.002T1203T1204T1210T1218T1218.011T1485T1486

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)59/60 · 98%
Analytics (MITRE CAR)35/60 · 58%
Runtime / container (Falco)8/60 · 13%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

1 mapped
S0002 · Mimikatz
Other tooling / TTPs (curation, not ATT&CK-mapped):
M.E.DOC MEDOK UKRAINIAN TAX ACCOUNTING SOFTWARE 80 PERCENT BUSINESS PENETRATIONMASTER BOOT RECORD MBR OVERWRITE ENCRYPTIONMIMIKATZ LSASS CREDENTIAL DUMPING INTEGRATEDMODIFIED PETYA BASE CODEBASE RIPPED RECOVERY MECHANISMM E DOC SUPPLY CHAIN COMPROMISESANDWORM SIGNATURE DESTRUCTIVE CYBERWEAPON PLATFORM

CVEs Exploited

5
CVECVE-2017-0144
CVECVE-2017-0145
CVECVE-2017-0146
CVECVE-2017-0147
CVECVE-2017-0148
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin