Following the initial 27 June attack, security experts found that the code that had infected

the M.E.Doc update had a backdoor that could potentially be used to launch another
cyberattack. On seeing signs of another cyberattack, the Ukrainian police raided the offices
of MeDoc on 4 July 2017 and seized their servers. MeDoc's CEO stated that they were
now aware there had been a backdoor installed on their servers, again refuted their
involvement in the attack, and were working to help authorities identify the source. [16]
[32]
 Security company ESET found that the backdoor had been installed on MeDoc's updater
service as early as 15 May 2017, while experts from Cisco Systems' Talos group found
evidence of the backdoor as early as April 2017; either situation points to the cyberattack
as a "thoroughly well-planned and well-executed operation". [33] Ukrainian officials have
stated that Intellect Service will "face criminal responsibility", as they were previously
warned about lax security on their servers by anti-virus firms prior to these events but did
not take steps to prevent it.[34] Talos warned that due to the large size of the MeDoc update
that contained the NotPetya malware (1.5 gigabytes), there may be other backdoors that
they have yet to find, and another attack could be possible. [33]

Attribution[edit]
On 30 June, the Security Service of Ukraine (SBU) reported it had seized the equipment
that had been used to launch the cyberattack, claiming it to have belonged to Russian
agents responsible for launching the attack.[35] On 1 July 2017 the SBU claimed that
available data showed that the same perpetrators who in Ukraine in December 2016
attacked the financial system, transport and energy facilities of Ukraine (using TeleBots
and BlackEnergy)[36] were the same hacking groups who attacked Ukraine on 27 June 2017.
"This testifies to the involvement of the special services of Russian Federation in this
attack," it concluded.[7][37] (A December 2016 cyber attack on a Ukrainian state energy
computer caused a power cut in the northern part of the capital, Kiev). [7] Russia–Ukraine
relations are at a frozen state since Russia's 2014 annexation of Crimea followed by a
Russian government-backed separatist insurgency in eastern Ukraine in which more than
10,000 people had died by late June 2017.[7] (Russia has repeatedly denied sending troops
or military equipment to eastern Ukraine).[7] Ukraine claims that hacking Ukrainian state
institutions is part of what they describe as a "hybrid war" by Russia on Ukraine.[7]
On 30 June 2017, cyber security firm ESET claimed that the Telebots group (which they
claimed had links to BlackEnergy) was behind the attack: "Prior to the outbreak, the
Telebots group targeted mainly the financial sector. The latest outbreak was directed
against businesses in Ukraine, but they apparently underestimated the malware's
spreading capabilities. That's why the malware went out of control." [7] ESET had earlier
reported that BlackEnergy had been targeting Ukrainian cyber infrastructure since 2014.
[38]
 In December 2016, ESET had concluded that TeleBots had evolved from the
BlackEnergy hackers and that TeleBots had been using cyberattacks to sabotage the
Ukrainian financial sector during the second half of 2016. [39]
Around the time of 4 July raid on MeDoc, the $10,000 in bitcoin already collected in the
listed wallets for NotPetya had been collected, and experts believed it was used to buy
space on the anonymous Tor network. One message posted there purportedly from the
NotPetya authors demanded 100,000 bitcoin (about $2.6 million) to halt the attack and
decrypt all affected files.[16] On 5 July 2017, a second message purportedly from the
NotPetya authors was posted in a Tor website, demanding those that wish to decrypt their
files send 100 bitcoin (approximately $250,000). The message was signed with the
same private key used by the original Petya ransomware, suggesting the same group was
responsible for both.[40]
According to reports cited in January 2018 the United States Central Intelligence
Agency claimed Russia was behind the cyberattack, with Russia's Main Intelligence
Directorate (GRU) having designed NotPetya.[41] Similarly, the United Kingdom Ministry of
Defence accused Russia in February 2018 of launching the cyberattack, that by attacking
systems in the Ukraine, the cyberattack would spread and affect major systems in the
United Kingdom and elsewhere. Russia had denied its involvement, pointing out that
Russian systems were also impacted by the attack.[42]
Wired technology writer Andy Greenberg, in reviewing the history of the cyberattacks, said
that the attacks came from a Russian military hackers called "Sandworm". Greenberg
asserted that Sandworm was behind the 2016 blackouts in Kiev, among other events. The
group had been focusing on hacking into Ukraine's financial sector, and sometime in early
2017, had been able to gain access M.E. Doc's update servers, so that it could be used
maliciously to send out the cyberattack in June 2017. [19]

Affected companies[edit]
Companies affected include Antonov, Kyivstar, Vodafone Ukraine, lifecell, TV
channels STB, ICTV and ATR, Kiev Metro, UkrGasVydobuvannya (UGV), gas stations
WOG, DTEK, EpiCentre K, Kyiv International Airport
(Zhuliany), Prominvestbank, Ukrsotsbank, KredoBank, Oshchadbank and others,[13] with
over 1,500 legal entities and individuals having contacted the National Police of Ukraine to
indicate that they had been victimized by 27 June 2017 cyberattack.[43] Oshchadbank was
again fully functional on 3 July 2017. [44] Ukraine's electricity company's computers also went
offline due to the attack; but the company continued to fully operate without using
computers.[8]
While more than 80% of affected companies were from Ukraine, [needs update] the ransomware
also spread to several companies in other geolocations, due to those businesses having
offices in Ukraine and networking around the globe. Non-Ukrainian companies reporting
incidents related to the attack include food processor Mondelez International,[45] the APM
Terminals subsidiary of international shipping company A.P. Moller-Maersk,
the FedEx shipping subsidiary TNT Express (in August 2017 its deliveries were still
disrupted due to the attack),[46] Chinese shipping company COFCO Group, French
construction materials company Saint Gobain,[47] advertising agency WPP plc,[48] Heritage
Valley Health System of Pittsburgh,[49] law firm DLA Piper,[50] pharmaceutical company Merck
& Co.,[51] consumer goods maker Reckitt Benckiser, and software provider Nuance
Communications.[52] A Ukrainian police officer believes that the ransomware attack was
designed to go global so as to distract from the directed cyberattack on Ukraine. [53]
The cost of the cyberattack had yet to be determined, as, after a week of its initial attack,
companies were still working to mitigate the damage. Reckitt Benckiser lowered its sales
estimates by 2% (about $130 million) for the second quarter primarily due to the attack that
affected its global supply chain.[52][54] Tom Bossert, the Homeland Security adviser to the
President of the United States, stated that the total damage was over US$10 billion.
[19]
 Among estimated damages to specific companies included over US$870 million to
Merck, US$400 million to FedEx, US$384 million to Saint-Gobain, and US$300 million to
Maersk.[19]

Reaction[edit]
Secretary of the National Security and Defence Council of Ukraine Oleksandr
Turchynov claimed there were signs of Russian involvement in the 27 June cyberattack,
although he did not give any direct evidence.[55] Russian officials have denied any
involvement, calling Ukraine's claims "unfounded blanket accusations". [35]
NATO Secretary-General Jens Stoltenberg vowed on 28 June 2017 that NATO would
continue its support for Ukraine to strengthen its cyber defence.[56]
The White House Press Secretary released a statement on 15 February 2018 attributing
the attack to the Russian military, calling it "the most destructive and costly cyberattack in
history."[57]