NotPetya

June 2017

DestructivePeak: Strategic ImpactAttribution: ConfirmedMultiple SectorsCritical Infrastructure

Year

2017

Actor country

Russia

Target regions

Ukraine, Global

Unpeace score

Executive Summary

Destructive wiper malware disguised as ransomware, distributed via a compromised Ukrainian tax software update. Caused an estimated $10B+ in global damages, primarily affecting shipping, logistics, and pharmaceutical companies.

Why This Matters

NotPetya demonstrated that a cyber weapon aimed at one country can inflict billions in collateral damage worldwide, making it a landmark case for debating proportionality, state responsibility, and the limits of deniability in cyber conflict.

Escalation Profile

7-Dimension Profile

Escalation Ladder

Probing

Intrusion

Disruption

Degradation

Destruction

Strategic

Phases

2017-04

Intrusion

Supply chain compromise

Backdoor inserted into M.E.Doc accounting software update mechanism.

2017-06-27

Destruction

Global wiper deployment

EternalBlue + Mimikatz-based lateral movement delivered irreversible disk destruction across 65+ countries.

2017-06

Strategic Impact

Economic disruption at scale

Maersk, Merck, FedEx/TNT, and Rosneft among those crippled; global shipping delayed for weeks.

Threshold Crossings

•First cyber operation to cause >$10B in collateral economic damage
•Indiscriminate global propagation beyond intended target set

Restraint Factors

•Disguised as criminal ransomware, providing deniability
•No direct military targeting

Attribution Assessment

ConfirmedGRU (Main Intelligence Directorate)

Russia

SandwormVoodoo BearIRIDIUM

1. Technical

Threat actor mapped to Russia based on infrastructure analysis, malware attribution, and operational patterns.

Evidence: Microsoft Threat Intelligence: Petya Ransomware Attack

2. Political / Legal

Public AttributionIndictmentSanctions Imposed

•Five Eyes joint attribution statement (Feb 2018)
•US DOJ indictment of six GRU officers (Oct 2020)
•EU sanctions against GRU entities

Sources: CISA Alert TA17-181A; US DOJ: Six Russian GRU Officers Indicted

3. Open Source

No dedicated journalistic sources in dataset. See sources section for full references.

“Confirmed” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.

Unpeace Position

Unpeace Score

Composite severity rating on the peace–conflict spectrum

Stable

Contested

Escalatory

03060100

Contributing Dimensions

Escalation peak6/6

Threshold crossings2/4

Governance flags4/8

Sectors affected2/6

Entanglement5/10

Country scope2/6

Coercive Function

Destructive

Destruction of data or systems — coercive value through denial, punishment, or deterrence signaling.

Observed coercive effects

•First cyber operation to cause >$10B in collateral economic damage
•Indiscriminate global propagation beyond intended target set

Entanglement Risk

Entanglement score5

Sectors affected

Multiple SectorsCritical Infrastructure

Countries / regions

UkraineGlobal

Impact summary

Irreversible disk encryption/wipe across ~2,000 organizations in 65+ countries.

Infrastructure Meaning

Malware / tooling

NotPetyaEternalBlueMimikatz

Capability profile

Irreversible disk encryption/wipe across ~2,000 organizations in 65+ countries.

4 ATT&CK techniques mapped — see ATT&CK mapping below.

Governance Analysis

Governance Flags

!Norm Violation

APublic Attribution

SSanctions Imposed

IIndictment

UUN Discussion

RRegulatory Change

CInternational Cooperation

DDeterrence Signal

Norms invoked

•UN GGE 2015 norm against damaging critical infrastructure
•Due diligence obligations (Tallinn Manual Rule 6)

Policy responses

•Five Eyes joint attribution statement (Feb 2018)
•US DOJ indictment of six GRU officers (Oct 2020)
•EU sanctions against GRU entities

Regulatory changes

•Accelerated adoption of supply chain security requirements
•Increased focus on software bill of materials (SBOM)

Governance impact assessment

Established precedent for multilateral public attribution of destructive cyber operations and highlighted supply chain risk as a policy priority.

Sources

CISA Alert TA17-181A

Government2017-06-30

Microsoft Threat Intelligence: Petya Ransomware Attack

Vendor Report2017-06-27

US DOJ: Six Russian GRU Officers Indicted

Legal2020-10-19

Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.

Viasat KA-SAT

February 2022 · Russia

Viasat KA-SAT was the clearest example yet of cyber attack as an opening act of war, with cross-border collateral damage that forced NATO and the EU to treat satellite infrastructure as a shared security concern.

DestructiveStrategic Impact

Kyivstar

December 2023 · Russia

Kyivstar represented the most destructive cyber attack against a telecommunications provider during active conflict, demonstrating ICS-equivalent destructive capability against civilian communication infrastructure and disrupting life-safety warning systems.

DestructiveDestruction

Ukraine Grid I

December 2015 · Russia

Ukraine 2015 was the first confirmed cyber-caused power outage, turning a theoretical risk into an operational reality that reshaped how governments defend energy grids.

SabotageDegradation

Ukraine Grid II

December 2016 · Russia

Industroyer represented a generational leap in ICS malware sophistication — a modular, protocol-aware weapon that signaled the industrialization of grid-targeted cyber capabilities.