Servers associated with NotPetya attack seized by Ukrainian Police

Last week the computer systems of several companies in Europe were infected with NotPetya malware. At first, the researcher thought it’s just another ransomware attack like the WannaCry one but later discovered that NotPetya is a disk wiper that locks a victim’s data files and throws away the decryption key.

Now, Police in Ukraine has seized the servers of the accounting firm M.E.Doc, which has apparently been responsible for the spread of the malicious virus NotPetya causing severe damage to the networks of various companies in Europe last week.

M.E.Doc’s software update

The police stated that it found the servers of the M.E.Doc to be infected with the malware, which entered through the company’s update system which the company launched as part of its widely used accounting software

While the original hackers who are responsible for loading the organization’s system with the malware have not yet been identified, the police hold M.E.Doc liable for the damages and for being negligent with its security protocols.

As such, M.E.Doc is likely to pay fines for not upgrading its security system.

Also, the police, fortunately, got hold of the servers right before another software update was about to be released. As of now, the spread of the NotPetya malware has been stopped, and no more victims have been reported.

M.E.Doc’s accounting software was compromised through backdoors

M.E.Doc is a well-known organization that supplies accounting software used by 80% of the corporations in Ukraine. The NotPetya malware was found to be in the update system of the software and used the EternalBlue exploit to infiltrate M.E.Doc’s systems.

One of the officials from Ukraine’s cyber security unit told AP that M.E.Doc knew about its security flaws and yet did not do anything.

Furthermore, according to the security analyst, Jonathan Nichols, the nature of the attack was quite simple and could have used basic tools to compromise the system.

“The potentiality for trivial attacks is not limited just to this exploit. Multiple exploits exist for all of these services, and any number of them could have been used by non-state actors with little to no experience in hacking,” writes Nichols.

Hackers probably had access to the company’s source code

Experts say that hackers might have already had access to M.E.Doc’s source code and they used it to install backdoors in the organization’s system. This subsequently allowed the hackers to infiltrate M.E.Doc’s system without raising any alarms.

Ukraine is currently collaborating with NATO which has provided the necessary equipment to fight against such cyber attacks. Also, according to NATO, compromised software was exploited to infect the target.

Seized M.E.Doc’s server (Image Credit: Ukrainian police)

A well-thought out attack

Research from ESET believes that the attack was well planned and the hackers must have been plotting long before the attack was actually launched.

He says that the vulnerability in M.E.Doc’s existed since April 14 and it is more than likely that the hacker group gained access to the company’s system probably at the start of the year.

Tax payment postponed

The Accounting software of the company is used for various financial tasks, and one of those is concerned with taxation.

Since the systems of various large corporations had been compromised, tax payments due on the 13th of June was out of the question. As such, the government postponed the deadline to July 15.

Who is behind the attack?

The actual culprits, as mentioned earlier, have not been identified. However, Ukraine suspects Russia to be behind all this and specifically links the attack to the 2016 nation-wide infiltration of its power grid system.

The Kremlin responded by saying that the claims are based on no hard evidence and emphasized the fact that the hackers were able to access M.E.Doc’s source code, which is enough an indication that the attack was not a nation-state.

Watch the policies raiding M.E.Doc’s office

Related Posts