Ukrainian banks, enterprises, media and energy companies under powerful cyber attack, including Chornobyl NPP – LiveUpdates

cyber attack

Start splash screen of a computer infected by ransomware used in the ongoing cyber attack on Ukrainian banks, energy companies, media organizations. Photograph: 24tv.ua 

Ukraine

A powerful cyber attack on Ukrainian banks, energy companies is underway. Reportedly, another WannaCry-like ransomware cryptoworm software is used to attack computers. The malware crypts all non-executable files on computers running Microsoft Windows operating system and demands ransom payments in the Bitcoin cryptocurrency. According to various sources, the companies under attack are: Oshchadbank state bank, energy companies – Dniproenergo, Zaporizhzhiaenergo, Kyivenergo, delivery company Nova Poshta, Ukrposhta state mail company, media holding TRK Luks managing 24 Kanal TV channel, Radio Luks, Radio Maksymum and other companies and organizations.

  • Cabinet of Ministers of Ukraine
  • Oshchadbank state bank
  • energy companies – Dniproenergo, Zaporizhzhiaenergo, Kyivenergo,
  • delivery company Nova Poshta,
  • Ukrposhta state mail company,
  • media holding TRK Luks, affiliating 24 Kanal TV channel, Radio Luks, Radio Maksymum,
  • News site Korrespondent.net
  • ATR TV channel
  • Boryspil International Airport
  • The sites of the National Police and the Cyber Police

 

Update 17:09: As of the data we have at this moment, a targeted mass-mailing attack was performed around 15:00. The email messages contained a ransomware. The virus is called Petya.A named probably after the diminutive form of the name Petro. The ransomware target computers running the Microsoft Windows operating systems. Preliminary, the virus encrypts not the files of certain types as WannaCry malware did, but the entire partitions of the hard drive. Most of the desktop computers and many servers in organizations and enterprises in Ukraine use Windows operating systems by Microsoft.

It is not the first cyber attack on key infrastructure objects in Ukraine. In December 2016, several districts of Kyiv and neighboring districts of Kyiv Oblast left without electricity, head of Ukrenergo energy company Vsevolod Kovalchuk said that “external interference in the data transfer systems” caused the blackout.

National Bank reports an “external cyber attack”

The National Bank of Ukraine warns banks and other companies in financial sector about an “external cyber attack using unknown virus” on several Ukrainian banks, as well as on commercial and state enterprises. the attack is underway today. The attack caused issues for the banks while serving customers, performing bank operations.

Update 16:18: Oshchadbank state bank has reported in their official statement that due to a hacker attack on a string of Ukrainian companies and banks, Oshchadbank had to limit “the functionality of services for clients”. According to reports on social networks, Oshchadbank ATM machines don’t service clients for now. The bank recommends using ATMs of other banks. According to reports on Twitter, national supermarket chain ATB doesn’t accept Oshchadbank cards today.

Update 17:27: Other banks hit by the attack were Pivdennyi, TASkombank, OTP Bank, and the state-owned Ukrgazbank, UNIAN reports.

Energy companies

According to Obozrevatel referring to their own source, “99% of computers in Zaporizhzhiaoblenergo, Dniproenergo and Dnipro electric energy system are blocked (encrypted).” 

Update 16:44: Kyivenergo and Ukrenergo energy companies were also under attack.

Media companies

TRK Luks media holding has reported a “devastating virus attack” that hit their offices in Kyiv and Lviv. The holding affiliates popular TV channel 24 Kanal, and radio stations Radio Luks, Radio Maksymum.

At 14:17 journalist Denys Bihus reported in his post on Facebook the blackout of 24 Kanal and both radio stations.

Popular Internet media korrespondent.net is down since about 15:00 by now (16:06).

Update 16:53: Journalist Ayder Muzhdabaev has published a photograph of an infected computer in the office of Crimean Tatar ATR TV channel. His comment was, “A greeting from RF [the Russian Federation] has also come to ATR office. UPD: The channels keeps broadcasting”:

Delivery services

As of now, 15:53, the official site of Ukrposhta state mail company is inaccessible.

All outlets of Nova Poshta delivery company have suspended service, Ukrainska Pravda reports. “Nova Poshta” reports the “massive attack by the Petya.A virus” on the information systems and the contact center of the company in Kyiv. This “temporary disabled the customer service” of the company.

Official institutions

Update 16:40: The sites of the National Police and the Cyber Police are inaccessible and served from the cache as of 16:40:

This slideshow requires JavaScript.

Transport

Update 16:48: Head of Boryspil International Airport wrote on his Facebook page that the airport and “several state enterprises” came under a “spam attack.”

Live Updates

Update 17:38: Ukrtelecom telephone company was attacked, it continues providing internet and telephony, however, its call center and computers of the service center are down, according to the post on the company’s official page on Facebook:

Update 17:43: Banking cards are not accepted for payments at Kyiv Metro:

Update 17:52: Petrol station chain KLO is “blocked by the virus attack,” the official KLO Facebook account reported:

Update 17:58: The Presidential Administration reports that its information systems and the cyber defense team “operate in the normal mode”:

Update 18:01: A photo of an infected computer reportedly taken at 14:45 at the Lenin plant in Babruysk, Belarus was published on Twitter:

Update 18:30: The official Twitter account of Ukraine responded to the cyberattack, “Some of our gov[ernment] agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue,” “this is fine” meme has been attached to the message:
https://twitter.com/Ukraine/status/879706437169147906

Update 18:39: Ukraine’s Prime Minister Volodymyr Groysman called the attack “unprecedented” but added that “vital systems haven’t been affected”:

Update 18:41: Ukraine’s Ministry of Finance reported, “[Information] systems of MinFin are operating. Our IT guards reacted fast and effectively,” and added in English, “Stay away, dear hackers, stay away.”

Update 18:48: PM Volodymyr Groysman’s tweet at 18:44: “Just now the Government Portal resumed operation. It is the first positive signal. The work continues to localize the virus and overcome the consequences of the cyber attack”

Update 19:16: The British WPP company has reported that IT systems in its several companies have been affected by a suspected cyber attack:

Update 19:24: Chornobyl’s radiation monitoring system has been affected by the cyber attack, AFP reports citing the spokeswoman.

An ATM in Kyiv:

Update 19:50
Danish Maersk company says its IT systems are down due to a cyber attack.

Executive director of the Europol Rob Wainwright says, “We are urgently responding to reports of another major ransomware attack on businesses in Europe.”

Europol reports:

Update 20:08 The Russian oil giant Rosneft was also hit, Norway’s National Security Authority said an “international company” there was affected, according to the Washington Post.

Update 20:31: The diagram published by the Russian Twitter account of Eset antivirus company clearly shows that Ukraine was the target of the cyber attack, the text commenting the diagram reads, “Rating of the countries most affected by Petya [virus]. The infection has started from Ukraine”:

Diagram: Twitter ESETNOD32Russia

Diagram: Twitter ESETNOD32Russia

Update 21:54: According to DefenseOne, the malware quickly infected nearly 300,000 computers worldwide. The virus uses two software exploits released in April by the hacking group called the Shadow Brokers.

Update 21:57: Earlier today, Deputy PM Pavlo Rozenko published a photograph of an infected computer with comment, “Ta-dam! It seems the computers at the Cabinet of Ministers of Ukraine have been knocked out. The network is down.”

Update 22:06: The Cyberpolice wrote, “It is preliminary found that the first virus attacks on Ukrainian companies could [be conducted] due to vulnerabilities of M.E.Doc [accounting] software”:

Update 22:31: The list of organizations and companies affected by the attack of Petya.A virus, according to CensorNet:

Government agencies
Cabinet of Ministers of Ukraine
Interior Ministry of Ukraine
Ministry of Culture
Ministry of Finance
National Police (including regional websites)
Cyberpolice
Kyiv State City Administration
Lviv City Council
Ministry of Energy
National BankBanks
Oshchadbank
Sberbank
TASKomertsbank
Ukrhazbank
Pivdennyi
ОТР Bank
KredobankTransport companies
Boryspil International Airport
Kyiv Metro
Ukrzaliznytsia (major railway carrier)Media
Radio Era-FM
Football.ua
STB
Inter
Pershyi Natsionalnyi
Telekanal 24
Luks Radio
Maksymum Radio
KP in Ukraine
ATR TV channel
Korrespondent.net

Large companies

Nova Poshta
Kyivenerho
Naftohaz Ukrainy
DTEK
Dniproenerho
Kyivvodokanal
Novus
Epicentr
Arcelor Mittal
Ukrtelekom
UkrposhtaCell phone operators
Lifecell
Kyivstar
Vodafone UkrainePharmacy/Hospitals
Farmak
Borys Medical Center
Feofania
Arterium CorporationGas stations
Shell
WOG
Klo
TNKForeign companies
Rosneft

Update 22:47: The State Service of Special Communication and Information Protection of Ukraine (Derzhspetszvyazku) reports that control of the situation has been currently taken. No state e-resource secured by common cyberdefense contour, released by Derzhspetszvyazku in the System of protected Internet access, was affected. Electronic state registries “were not damaged and didn’t sustain any other unauthorized operations.”

Update 23:02: Computer security expert Amit Serper says he has found a way to prevent the Petya malware from running:

Update 23:53: The unprecedented cyber attack of Petya/Petya.A/Petrwrap ransomware on Ukraine got mass сoverage in world media. Here are some of the stories published in the world press:

 

Update June 28, 00:03: According to Symantec antivirus company, Petya malware has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR). In this 27 June attack, the ransom note is displayed on infected machines, demanding that $300 in bitcoins be paid to recover files.

Update 00:31: TrendMicro antivirus company has published the technical description of Petya ransomware,  showing the system vulnerabilities it uses and disclosing its infection flow. Each user is asked to pay US$300 to decrypt the encrypted data and, according to TrendMicro, approximately US$7,500 had been paid into the Bitcoin address of the adversary as the article was published. However, the company notes, “We advice against paying the ransom–this is particularly true in this case, as the email account mentioned in the ransom note is no longer active.”

Update 00:58: On 27 June at 18:08 Kharkiv International Airport informed on its Facebook page that staff were manually checking-in passengers due to a hacker attack. Everything else was operating as per normal:

Update 01:40: Jun27 afternoon, cashier checkout computers infected with Petya ransomware in a supermarket in Kharkiv, eastern Ukraine:

Update 02:11: Former U.S. ambassador to Russia, Michael McFaul has commented on the Petya cyber attack on Ukraine on his Twitter, “Shocking violation of Ukrainian sovereignty. I hope all world leaders who respect sovereignty will not only speak out but also act.”

Update 02:31: Petya ransomware reaches Australia, suspending operations at Cadbury’s Claremont factory:

Update 02:57: McAfee antivirus company has published a detailed technical analysis of Petya ransomware. The malware uses three different mechanisms attempting to infect remote computers. The first mechanism is Eternal Blue exploit, used also by WannaCry ransomware. Two other mechanisms are using the standard Microsoft remote administering tool psexec.exe and using the Windows Management Instrumentation Command-line (WMIC) to execute malware the executive components directly on the remote machine. This means that one infected computer can infect all vulnerable computers in the local network including servers running Windows operating systems.

Updates finished for today, good night.


Read more:

 

 

Tags: , ,

  • veth

    Why nobody starts a cyber attack on Russia?

    • chris chuba

      This exact type of Cyber attack WAS launched on Russia. The malware originated with the NSA
      https://theintercept.com/2017/05/12/the-nsas-lost-digital-weapon-is-helping-hijack-computers-around-the-world/
      How soon we forget.

      • PoeTentiate

        By organized crime. This one is a government sponsored event.

        • veth

          Organized crime=Russian government

          • PoeTentiate

            So who decided to hit Russia 6 months ago, Ukraine?

          • veth

            Russian Army is killing around in Ukraine for 3 years now, counterattack is no crime.

        • chris chuba

          Here is possible explanation. Since the NSA Malware was discovered a couple of mo’s ago, the Russians took aggressive measures to counter it. Kapersky runs a world renowned anti-virus company. Unfortunately, Ukraine has cut all ties to Russia so they didn’t benefit from Russia’s cyber hardening.

          In short, Ukraine is a softer target than Russia so it got hit harder by the criminals. But okay, if you want, blame Russia for all of Ukraine’s problems and embrace the loving arms of the U.S. if you must.

    • zorbatheturk

      Snakes don’t bite themselves.

  • veth

    Bring all the industry in Russia down, Gazprom, etc.

  • zorbatheturk

    A RuSSian bat is going around biting computers and infecting them. It answers to the name of ” Putin “.

  • Tony

    Stop using Windows, get professional Linux support from Suse or Novell or whoever is doing it these days.
    Consult Lithuania on Cyber security.
    Use this event as a reminder that russia is their enemy and that they need to unify to drive out Russian influence.