Security firm warns Ukraine is now a 'training ground' for Russian cyber-hackers
Ten minutes before the 2pm news broadcast on June 27, Vitaly Kovach, editor of Ukraine's Channel 24, stood and told his staff to unplug their network cables immediately.
The computers had frozen at the studio in Lviv and an editor there had sent him a picture of what looked like a ransomware message. But it was already too late to stop the virus: within minutes, 20 of 23 computers in the Kiev office were non-functional.
"All programmes froze, video editing froze," Mr Kovach recalled.
Although international businesses were also hit in the cyber attack - including large firms in Britain and Ireland - Ukraine was hit hard. More than 300 companies there would later say they were affected.
According to Oleksii Yasinsky of the Kiev cybersecurity firm ISSP, Ukraine has become a "training ground" for suspected Russian hackers to "hone technologies, mastery and attack techniques" for bigger targets.
The head of the United Kingdom national cyber security centre said in November that Russian hackers had already tried to attack British energy, telecom and media companies. Theresa May reprimanded Russia for cyber interference, a warning echoed by Boris Johnson during a visit to Moscow last week.
Russia denied it, but Mr Yasinsky is convinced another onslaught is coming.
"It will be a quiet attack," he said. "Whoever controls cyberspace will control the world."
The June incident was the latest in a series of attacks in Ukraine. Two days before Christmas 2015, hackers cut power to 225,000 people there. On Dec 17 2016, a power cut in Kiev plunged the capital into darkness.
The attacks were attributed to a hacker group called "Sandworm", believed by some to be linked to the group that interfered in US elections.
Although Russian state oil giant Rosneft claimed to have been targeted, it said it avoided serious consequences. After demonstrations brought a pro-Western government to power in 2014, Russia drew international reproach by annexing Crimea and backing separatists in eastern Ukraine.
But it also allegedly began a surreptitious incursion into Ukrainian cyberspace, stealing secrets and causing mayhem.
Initially, the June incident was said to be a ransomware attack, in which hackers encrypt files and hold them hostage for a fee. This proved to be a red herring. This new "NotPetya", as it was dubbed, targeted state actors and was not able to take ransom payments or restore the data it destroyed, leading ISSP and others to argue that it was state-sponsored wiper malware masquerading as ransomware.
The assassination by car bomb of a military intelligence colonel the same day in Kiev seemed to further link it to Russia's "hybrid war" against Ukraine.
Customers were unable to buy food as supermarket checkout systems crashed.
Cashpoints failed, operations at hospitals in Ukraine ground to a halt and a system to locate and request rare medicines stopped working. The national mail carrier, Ukrposhta, could not accept or deliver parcels for days.
Victims have been loth to report their losses, but Maersk, the Danish shipping container company, put the cost at $300.
The damage could have been worse if it had it not been a holiday weekend, according to Ihor Smilyansky, Ukrposhta's director.
"They picked that time just to send a message: 'We can do it. If we want, we can paralyse everything,'" he said.
The intended recipients were in Brussels, London and Washington, said John Hultquist, head of intelligence analysis at FireEye.
"They're demonstrating capabilities to make the West pause," he said.
"I don't think Russia is going to keep this bottled up in Ukraine."