Ukrainian police yesterday seized the servers of an accounting software firm suspected of spreading a malware virus which crippled computer systems at major companies around the world last week, a senior police official said.
The head of Ukraine’s Cyber Police, Serhiy Demedyuk, told Reuters the servers of M.E.Doc – Ukraine’s most popular accounting software – had been seized as part of an investigation into the attack.
Though they are still trying to establish who was behind last week’s attack, Ukrainian intelligence officials and security firms have said some of the initial infections were spread via a malicious update issued by M.E.Doc, charges the company’s owners deny.
The owners were not immediately available for comment on Tuesday.
Premium Service, which says it is an official dealer of M.E.Doc’s software, wrote a post on M.E.Doc’s Facebook page saying masked men were searching M.E.Doc’s offices and that the software firm’s servers and services were down.
Premium Service could not be reached for further comment.
Cyber Police spokeswoman Yulia Kvitko said investigative actions were continuing at M.E.Doc’s offices, adding that further comment would be made on Wednesday.
The police move came after cyber security investigators unearthed further evidence on Tuesday that the attack had been planned months in advance by highly-skilled hackers, who they said had inserted a vulnerability into the M.E.Doc program.
Ukraine also took steps on Tuesday to extend its state tax deadline by one month to help businesses hit by the NotPetya malware assault.
Researchers at Slovakian security software firm ESET said they had found a “backdoor” written into some of M.E.Doc’s software updates, likely with access to the company’s source code, which allowed hackers to enter companies’ systems undetected.
“We identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules,” ESET senior malware researcher Anton Cherepanov said in a technical note. “It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.”
“This was a thoroughly well-planned and well-executed operation,” he said.
ESET said at least three M.E.Doc updates had been issued with the “backdoor vulnerability”, and the first one was sent to clients on 14 April, more than two months before the attack.
ESET said the hackers likely had access to M.E.Doc’s source code since the beginning of the year, and the detailed preparation before the attack was testament to the advanced nature of their operation.
Oleg Derevianko, board chairman at Ukrainian cyber security firm ISSP, said an update issued by M.E.Doc in April delivered a virus to the company’s clients which instructed computers to download 350MB of data from an unknown source on the Internet.
The virus then exported 35MB of company data to the hackers, he told Reuters in an interview at his office in Kiev.
“With this 35MB you can exfiltrate anything – e-mails from all of the banks, user accounts, passwords, anything.”
Little known outside Ukrainian accounting circles, M.E.Doc is used by around 80% of companies in Ukraine. The software allows its 400 000 clients to send and collaborate on financial documents between internal departments, as well as file them with the Ukrainian state tax service.
Ukraine’s government said on Tuesday it would submit a draft law to parliament for the country’s tax deadline to be extended to 15 July, and waive fines for companies that missed the previous 13 June cut-off because of the attack.
“We had program failures in connection to the cyber attack, which meant that businesses were unable to submit account reports on time,” prime minister Volodymyr Groysman told a cabinet meeting.
Separately, Ukraine’s security service, the SBU, said it had discussed cyber defence with NATO officials and had received equipment from the alliance to better combat future cyber attacks. Ukraine is not in NATO but is seeking closer ties.
On Saturday, Ukrainian intelligence officials accused Russian security services of being behind the attack, and cyber security researchers linked it to a suspected Russian group who attacked the Ukrainian power grid in December 2016.
A Kremlin spokesman dismissed charges of Russian involvement as “unfounded blanket accusations”.
Derevianko said the hacker’s activity in April and reported access to M.E.Doc’s source code showed Ukraine’s computer networks had already been compromised and that the intruders were still operating inside them.
“It definitely tells us about the advanced capabilities of the adversaries,” he said. “I don’t think any additional evidence is needed to attribute this to a nation-state attack.”
Copyright 2017 Reuters Limited. All rights reserved. Republication and redistribution of Reuters content is expressly prohibited without the prior written consent of Reuters. Reuters shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.
Our comments policy does not allow anonymous postings. Read the policy here