IE 11 is not supported. For an optimal experience visit our site on another browser.

Ukrainian Software Firm's Servers Seized After Cyber Attack

M.E.Doc's owners deny that some initial infections last week were spread via a malicious update issued by their software.
Image: Cyberattack
A computer screen warning reportedly holding computer files for ransom, part of a massive international cyberattack last week.Oleg Reshetnyak / AP
/ Source: Reuters

KIEV, Ukraine — Ukrainian police on Tuesday seized the servers of an accounting software firm suspected of spreading a malware virus the crippled computer systems at major companies around the world last week, a senior police official said.

The head of Ukraine's Cyber Police, Serhiy Demedyuk, told Reuters that the servers of M.E.Doc — Ukraine's most popular accounting software — had been seized as part of an investigation into the attack.

Although they are still trying to establish who was behind last week's attack, Ukrainian intelligence officials and security firms have said some of the initial infections were spread via a malicious update issued by M.E.Doc, allegations that the company's owners deny.

The owners weren't immediately available for comment on Tuesday.

Premium Service, which says it is an official dealer of M.E.Doc's software, wrote a post on M.E.Doc's Facebook page saying that masked men were searching M.E.Doc's offices and that the software firm's servers and services were down.

Premium Service couldn't be reached for further comment. Cyber Police spokeswoman Yulia Kvitko said further comment would be made Wednesday.

The police move came after cybersecurity investigators unearthed further evidence on Tuesday that the attack had been planned months in advance by highly skilled hackers, who they said had inserted a vulnerability into the M.E.Doc program.

Researchers at the Slovakian security software firm ESET said they had found a "backdoor" written into some of M.E.Doc's software updates, likely with access to the company's source code, which allowed hackers to enter companies' systems undetected.

"We identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc's legitimate modules," senior malware researcher Anton Cherepanov said in a technical note. "It seems very unlikely that attackers could do this without access to M.E.Doc's source code."

"This was a thoroughly well-planned and well-executed operation," he said.

Image: Cyberattack
A computer screen warning reportedly holding computer files for ransom, part of a massive international cyberattack last week.Oleg Reshetnyak / AP

Oleg Derevianko, board chairman at Ukrainian cyber security firm ISSP, said an update issued by M.E.Doc in April delivered a virus to the company's clients, which instructed computers to download 350 megabytes of data from an unknown source on the internet.

The virus then exported 35 megabytes of company data to the hackers, he told Reuters in an interview at his office in Kiev.

"With this 35 megabytes, you can exfiltrate anything — emails from all of the banks, user accounts, passwords, anything."

Ukrainian intelligence officials accused Russian security services on Saturday of being behind the attack, and cybersecurity researchers linked it to a suspected Russian group that attacked the Ukrainian power grid in December.

A Kremlin spokesman dismissed charges of Russian involvement as "unfounded blanket accusations".

M.E.Doc is little known outside Ukrainian accounting circles, but it is used by around 80 percent of companies in Ukraine. The software allows its 400,000 clients to send and collaborate on financial documents among internal departments, as well as file them with the Ukrainian state tax service.

Ukraine's government said Tuesday that it would submit a draft law to Parliament to extend the country's tax deadline to July 15 and to waive fines for companies that missed the June 13 cutoff because of the attack.