US CISA, UK NCSC, Australian Cyber Security Centre, and Canadian Centre for Cyber Security jointly attributed NotPetya to the Russian GRU in February 2018. The coordinated multi-government attribution reflects shared intelligence and corroborating technical evidence across allied services.

The US DOJ unsealed an indictment in October 2020 naming six GRU Unit 74455 officers — Andrienko, Detistov, Frolov, Ochichenko, Pliskin, and Kovalev — with granular technical detail of the NotPetya operation, including specific dates, infrastructure, and methods. Criminal indictments require prosecutorial confidence in evidentiary sufficiency.

ESET, Cisco Talos, and multiple firms independently confirmed that NotPetya entered networks via a trojanised update to M.E.Doc Ukrainian tax software. The update servers had been compromised weeks before the June 27 detonation date. This supply-chain mechanism is technically documented with file-hash and network-traffic evidence.

Forensic analysis confirmed NotPetya used the NSA EternalBlue exploit (MS17-010) for lateral movement combined with Mimikatz credential harvesting. This combination allowed it to spread even to fully patched machines via harvested admin credentials — explaining why large enterprise networks with mixed patch states suffered near-total compromise.

Unlike genuine ransomware, NotPetya had no functional decryption mechanism. The ransom note was cosmetic. Overwriting the MBR with a custom bootloader and encrypting the MFT without a retrievable key confirmed wiper intent. The ransomware disguise was designed to delay attribution and obscure the geopolitical nature of the attack.

Maersk ($300M), Merck ($870M), FedEx/TNT ($400M), Mondelèz ($100M), and Saint-Gobain (€220M) damage figures are drawn from SEC filings, earnings calls, and audited financial disclosures — not self-serving estimates. The aggregate $10B+ figure is the most thoroughly documented economic impact of any cyberattack in history.

The M.E.Doc delivery mechanism — targeting Ukrainian tax-software users — and the timing (Ukrainian Constitution Day eve) indicate Ukraine as the primary target. The global collateral damage to multinationals with Ukrainian operations reflects poor containment design, not an intent to attack global commerce directly.

Mondelèz sued Zurich Insurance after a $100M claim was denied under a war-exclusion clause covering "hostile or warlike action" by a sovereign state. The case — settled in 2022 on undisclosed terms — validated the legal seriousness of nation-state attribution in cyber insurance contexts and prompted industry-wide review of war exclusion language.

The widely cited $10 billion global damage figure derives primarily from reported losses by Maersk (~$300M), Merck (~$870M), FedEx/TNT (~$400M), and Mondelez (~$100M), with the remainder estimated by extrapolation across less-reported victims. Insurance and reinsurance actuaries have noted significant methodological uncertainty in aggregating self-reported business-interruption losses across diverse sectors. The headline figure, while plausible, should be understood as an order-of-magnitude estimate rather than an audited total, and does not itself imply a broader conspiracy beyond the documented GRU Sandworm deployment.

The primary NotPetya vector was M.E.Doc, Ukrainian accounting software with a near-monopoly in Ukraine's business community, strongly suggesting a Ukraine-specific initial targeting decision. The worm's self-propagating SMB component caused reckless global spread that affected Russian-owned entities (Rosneft) as well as Western firms, which is inconsistent with a designed global attack. US, UK, Australian, and Canadian government attribution to Sandworm for a Ukraine-focused operation — with collateral damage — is more precisely scoped than characterisations of NotPetya as a deliberately global infrastructure attack.

Maersk ($300M), Merck ($870M), FedEx/TNT ($400M), Mondelèz ($100M), and Saint-Gobain (€220M) damage figures are drawn from SEC filings, earnings calls, and audited financial disclosures — not self-serving estimates. The aggregate $10B+ figure is the most thoroughly documented economic impact of any cyberattack in history.

The M.E.Doc delivery mechanism — targeting Ukrainian tax-software users — and the timing (Ukrainian Constitution Day eve) indicate Ukraine as the primary target. The global collateral damage to multinationals with Ukrainian operations reflects poor containment design, not an intent to attack global commerce directly.

Mondelèz sued Zurich Insurance after a $100M claim was denied under a war-exclusion clause covering "hostile or warlike action" by a sovereign state. The case — settled in 2022 on undisclosed terms — validated the legal seriousness of nation-state attribution in cyber insurance contexts and prompted industry-wide review of war exclusion language.

US CISA, UK NCSC, Australian Cyber Security Centre, and Canadian Centre for Cyber Security jointly attributed NotPetya to the Russian GRU in February 2018. The coordinated multi-government attribution reflects shared intelligence and corroborating technical evidence across allied services.

The US DOJ unsealed an indictment in October 2020 naming six GRU Unit 74455 officers — Andrienko, Detistov, Frolov, Ochichenko, Pliskin, and Kovalev — with granular technical detail of the NotPetya operation, including specific dates, infrastructure, and methods. Criminal indictments require prosecutorial confidence in evidentiary sufficiency.

ESET, Cisco Talos, and multiple firms independently confirmed that NotPetya entered networks via a trojanised update to M.E.Doc Ukrainian tax software. The update servers had been compromised weeks before the June 27 detonation date. This supply-chain mechanism is technically documented with file-hash and network-traffic evidence.

Forensic analysis confirmed NotPetya used the NSA EternalBlue exploit (MS17-010) for lateral movement combined with Mimikatz credential harvesting. This combination allowed it to spread even to fully patched machines via harvested admin credentials — explaining why large enterprise networks with mixed patch states suffered near-total compromise.

Unlike genuine ransomware, NotPetya had no functional decryption mechanism. The ransom note was cosmetic. Overwriting the MBR with a custom bootloader and encrypting the MFT without a retrievable key confirmed wiper intent. The ransomware disguise was designed to delay attribution and obscure the geopolitical nature of the attack.

The widely cited $10 billion global damage figure derives primarily from reported losses by Maersk (~$300M), Merck (~$870M), FedEx/TNT (~$400M), and Mondelez (~$100M), with the remainder estimated by extrapolation across less-reported victims. Insurance and reinsurance actuaries have noted significant methodological uncertainty in aggregating self-reported business-interruption losses across diverse sectors. The headline figure, while plausible, should be understood as an order-of-magnitude estimate rather than an audited total, and does not itself imply a broader conspiracy beyond the documented GRU Sandworm deployment.

The primary NotPetya vector was M.E.Doc, Ukrainian accounting software with a near-monopoly in Ukraine's business community, strongly suggesting a Ukraine-specific initial targeting decision. The worm's self-propagating SMB component caused reckless global spread that affected Russian-owned entities (Rosneft) as well as Western firms, which is inconsistent with a designed global attack. US, UK, Australian, and Canadian government attribution to Sandworm for a Ukraine-focused operation — with collateral damage — is more precisely scoped than characterisations of NotPetya as a deliberately global infrastructure attack.