Ukraine scrambles to contain new cyber threat after NotPetya attack
The Ukrainian software firm used as part of last week’s global cyber attack warned on Wednesday that all computers sharing a network with its infected accounting software had been compromised by hackers.
The attack used a virus, dubbed “NotPetya” by some experts, to take down thousands of computers in dozens of countries, disrupting shipping and businesses.
A video released by Ukrainian police showed masked men in combat fatigues and armed with assault rifles raiding the offices of software developer Intellect Service late on Tuesday, after cybersecurity researchers said they had found a “backdoor” written into some of the updates issued by its M.E. Doc accounting software.
M.E. Doc is used by 80 percent of Ukrainian companies and installed on around 1 million computers in the country. Interior Minister Arsen Avakov said police had blocked a second cyber attack from servers hosting the software.
Intellect Service previously denied its servers had been compromised, but when asked on Wednesday whether a backdoor had been inserted, Chief Executive Olesya Bilousova said: “Yes there was. And the fact is that this backdoor needs to be closed.”
Any computer on the same network as machines using M.E.Doc was now vulnerable to another attack, she said.
“As of today, every computer which is on the same local network as our product is a threat. We need to pay the most attention to those computers which weren’t affected (by last week’s attack),” she told reporters.
“The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”
Cyber security experts said that while hackers have previously been known to insert viruses into software updates – thus tricking computers and system administrators into installing the malware on their own systems – the attack on Ukraine is the largest and most disruptive such assault to date.
“We are in a new phase of cyber security and the way that sophisticated actors behave,” said Leo Taddeo, a former FBI cyber investigator and executive with cyber-security firm Cyxtera Technologies. “I can’t think of a supply chain attack that has been this thorough.”
Smokescreen
Investigators are still trying to establish who was behind last week’s attack, which hit a month after the Wannacry ransomware virus crippled computers at hospitals, banks and business around the world.
Ukrainian politicians were quick to blame Russia, which denied it. Ukrainian cyber police and some experts say the attack was probably a smokescreen used by the hackers to install new malware.
“After developing the backdoor, the attackers compromised users’ account details with the aim of getting full access to the network,” the cyber police said in a statement.
Little known outside Ukrainian accounting circles, M.E.Doc is used by around 400,000 companies in Ukraine to send and collaborate on financial documents between internal departments, and to file them with the Ukrainian state tax service.
Police have advised businesses to stop using the software and turn off every computer running it.
Ukraine’s government said on Tuesday it would submit a draft law to parliament to extend the tax deadline to July 15, and waive fines for companies who missed the previous June 13 cutoff because of the attack.
Losses from the NotPetya and Wannacry infections are seen totalling $8 billion, but Finance Minister Oleksandr Danylyuk told Reuters that estimates the attacks could cost Ukraine 0.5 percent of its annual GDP were exaggerated. “I don’t think it will be that high at all,” he said.
ESET senior malware researcher Anton Cherepanov, who first discovered the M.E.Doc backdoor, said computers using the programme would be at risk until a further update was issued.
But as the company’s servers were currently offline, he said, hackers could not currently access the compromised machines.
“The backdoor is using official M.E.Doc servers as a command and control server. Since these servers are offline, the attackers can’t control backdoored machines anymore,” he said in written comments to Reuters.