In June 2017, Cofco’s operations in Argentina were severely disrupted by the NotPetya wiper virus, a destructive cyber attack originating from a compromised update of the Ukrainian accounting software M.E.Doc. The malware, distributed via a backdoor in M.E.Doc’s update mechanism, spread globally, crippling systems at Cofco and halting critical operations. The attack caused operational interruptions, slowing wheat and fertilizer shipments and threatening soybean exports to China Argentina’s primary trade partner during peak export season. Cofco was collateral damage in a broader cyber offensive attributed to Russia’s Sandworm Team (Unit 74455), which initially targeted Ukrainian systems. The incident underscored the cascading risks of supply-chain attacks, where a single compromised vendor (Intellect Service/M.E.Doc) enabled widespread disruption across unrelated industries, including agriculture and logistics. The financial and reputational fallout was compounded by the timing, as delays in shipments risked contractual penalties and strained relationships with key buyers like China. The attack also exposed vulnerabilities in third-party software dependencies, forcing Cofco to grapple with recovery while global cybersecurity firms, including Talos, investigated the breach’s origins in Ukraine.
TPRM report: https://www.rankiteo.com/company/cofco
"id": "cof651092025",
"linkid": "cofco",
"type": "Cyber Attack",
"date": "6/2017",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': ['Agriculture',
'Food Processing',
'Logistics'],
'location': 'Argentina',
'name': 'Cofco',
'type': 'Multinational Corporation'}],
'attack_vector': ['Compromised Software Update',
'Backdoor in M.E.Doc',
'Supply Chain Compromise'],
'date_detected': '2017-06-28',
'description': 'Cofco was affected by the NotPetya wiper virus in Argentina '
'in June 2017. The attack originated from compromised software '
'updates of the Ukrainian accounting program M.E.Doc, '
'developed by Intellect Service. Hackers (Sandworm Team/Unit '
"74455, linked to Russia) infiltrated Intellect Service's "
'systems for months, embedding a backdoor in M.E.Doc updates '
"to distribute NotPetya. The attack disrupted Cofco's "
'operations, slowing wheat and fertilizer shipments and '
'threatening soybean exports to China during peak season. '
'Cofco was collateral damage in a broader attack targeting '
'Ukrainian systems.',
'impact': {'downtime': True,
'operational_impact': ['Shipment Delays (wheat, fertilizer)',
'Threat to Soybean Exports to China',
'Disruption During Peak Export Season'],
'systems_affected': ['Operational Systems',
'Logistics/Supply Chain Systems']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'Compromised M.E.Doc software '
'updates (Intellect Service)',
'high_value_targets': ['Ukrainian Tax Authorities',
'M.E.Doc Customers '
'(including Cofco)'],
'reconnaissance_period': 'Months (prior to June '
'2017)'},
'investigation_status': 'Partially Investigated (Talos assisted M.E.Doc; root '
'cause traced to Intellect Service compromise)',
'motivation': ['Geopolitical (targeting Ukraine)',
'Collateral Damage (global spread)'],
'post_incident_analysis': {'root_causes': ['Long-term compromise of Intellect '
'Service',
'Backdoor in M.E.Doc updates',
'Lack of update integrity checks']},
'response': {'third_party_assistance': ['Talos Security (assisted M.E.Doc in '
'Ukraine)']},
'threat_actor': ['Sandworm Team', 'Unit 74455', 'Russia-linked APT'],
'title': 'Cofco Hit by NotPetya Wiper Virus in Argentina (June 2017)',
'type': ['Cyber Attack', 'Wiper Malware', 'Supply Chain Attack'],
'vulnerability_exploited': 'Backdoor in M.E.Doc software updates (Intellect '
'Service)'}