Supply Chain Incident
NotPetya distributed through M.E.Doc update channel
The NotPetya destructive malware outbreak was seeded through a compromised Ukrainian accounting software update mechanism used by M.E.Doc customers.
ConfidenceHigh
Evidence LevelVendor
Attack StageDistribution Compromise
Source Artifact DivergenceUnknown
Attribution ConfidenceConfirmed
Affected Packages
No structured records.
Affected Releases
No structured records.
Repositories
No structured records.
Organizations
Maintainers
No structured records.
Threat Actors
Campaigns
Build Systems
No structured records.
Distribution Channels
- Vendor software update channel
Compromised Accounts
No structured records.
Connected Entities
- Intellect Service Organization
- NotPetya Destructive Campaign: Sandworm Global Wiper Operation (2017) Campaign
- Sandworm Threat Actor
- Vendor software update channel Distribution Channel
Attribution Evidence
The DOJ NotPetya charging document supports the Sandworm attribution used for this supply-chain incident edge.
The modeled campaign node covers the Sandworm NotPetya destructive campaign tied to the M.E.Doc update compromise.
References
- Petya Ransomware Cybersecurity and Infrastructure Security Agency · 2017-07-01
- Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware U.S. Department of Justice · 2020-10-19