By Jack Stubbs and Matthias Williams
KIEV (Reuters) – The Ukrainian software firm used to launch last week’s global cyber attack warned on Wednesday that all computers sharing a network with its infected accounting software had been compromised by hackers.
The attack used a virus, dubbed “NotPetya” by some experts, to take down thousands of computers in dozens of countries, disrupting shipping and businesses. Investigators now say the hack may be far more nefarious than previously thought.
A top official in the Ukrainian Presidential Administration said it remained unclear how many computers had been compromised and the state security service was trying to establish what the hackers would do with data stolen during the attack.
A video released by Ukrainian police showed masked men in combat fatigues and armed with assault rifles raiding the offices of software developer Intellect Service late on Tuesday, after cyber security researchers said they had found a “back door” written into some of the updates issued by its M.E.Doc accounting software.
M.E.Doc is used by 80 percent of Ukrainian companies and installed on about 1 million computers in the country. Interior Minister Arsen Avakov said police had blocked a second cyber attack from servers hosting the software.
The company previously denied its servers had been compromised but when asked on Wednesday whether a back door had been inserted, Chief Executive Olesya Bilousova said: “Yes, there was. And the fact is that this back door needs to be closed.”
Any computer on the same network as machines using M.E.Doc was now vulnerable to another attack, she said.
“We need to pay the most attention to those computers which weren’t affected (by last week’s attack),” she told reporters.
“The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”
Dmytro Shymkiv, deputy head of Ukraine’s presidential administration and a former director of Microsoft in Ukraine, said the latest evidence further pointed to an advanced and well-orchestrated attack.
“I am looking through the analysis that has been done on the M.E.Doc server, and from what I’m seeing, that’s worrying. Worrying is a very light word for this,” he said. “How many back doors are still open? We don’t know.”
He also said M.E.Doc’s servers had not been updated since 2013, providing some indication as to how the hackers were able to access the system.
Intellect Service said Shymkiv’s comments referred to a disk used to store M.E.Doc’s software updates.
Cyber security experts said that while hackers have previously been known to insert viruses into software updates – thus tricking computers and system administrators into installing the malware on their own systems – the attack on Ukraine is the largest and most disruptive such assault to date.
“We are in a new phase of cyber security and the way that sophisticated actors behave,” said Leo Taddeo, a former FBI cyber investigator and executive with cyber security firm Cyxtera Technologies. “I can’t think of a supply chain attack that has been this thorough.”
Investigators still are trying to establish who was behind last week’s attack. Ukrainian politicians were quick to blame Russia, which denied it. A Trump administration official said the U.S. government was not yet ready to accuse Russia.
Security experts from U.S.-based Cisco Systems Inc.<CSCO.O> said they had examined Intellect’s machines at its invitation and determined that an attacker had used a password stolen from an employee to log in on company computer.
After escalating the access rights of that user, the attacker rewrote configuration files, directing customers seeking updates to tampered versions stored elsewhere, at a French web hosting company.
The software with the back doors could spread through other means and the attackers might have used those back doors to install other tools, said Craig Williams, senior technical leader for Cisco’s Talos intelligence unit. But since the infected machines were instructed to check in with a command machine that has been taken offline, they do not pose the greatest remaining risk.
Instead, the big worry is what else might have been pushed out by earlier tainted updates, Williams said. With Intellect’s servers disabled for now, it cannot push out “clean” updates to fix what customers have installed.
Williams said Talos believed the hackers were connected to previous attacks on Ukraine’s electric system and that it was “tempting” to ascribe the new attack to a national government, since there did not appear to be a profit motive.
“This wasn’t made for any other purpose but to destabilize businesses in the Ukraine,” Williams said.
Technology news site Motherboard reported on Wednesday that people claiming to be behind the attack had posted a message online offering to unlock all encrypted files for a bitcoin payment of $256,000. Reuters was unable to confirm the report.
Shymkiv said the assault was designed to look like a ransomware attack in order to disguise its true objective.
“Initially everybody thought, including me, that it was just an attack with a virus,” he said. “It was not an attack with a virus, it was opening a back door, which was a hack of the computer networks on a broad scale and then eliminating the results with a virus.”
“It’s like a robber, you get to the house, you steal everything, and then you burn it.”
(Additional reporting by Pavel Polityuk in Kiev, Jim Finkle in Toronto, Dustin Volz and Jonathan Landay in Washington D.C., and Joseph Menn in San Francisco; Editing by Gareth Jones and Bill Trott)