Ukrainian Authorities Seize Accounting Firm's Servers in Connection to 'NotPetya' Ransomware

The Ukrainian accounting software company M.E.Doc was raided by police after it was discovered to be connected to the NotPetya malware.

Authorities in Ukraine took possession of the servers of one accounting app company, whose owners were suspected of aiding in the spread of the NotPetya ransomware, which destroyed a large number of machines and corporate networks in several big-name firms across the globe in the week prior, last Tuesday, a Ukrainian police representative said.

The Ukrainian Cyber Police Division's lead officer, Serhiy Demedyuk, commented the seizing of the servers of the company M.E.Doc, which is Ukraine's biggest accounting software firm. Demedyuk said the servers had been taken as part of an investigation of the NotPetya malware, which nearly crippled Ukraine a few weeks ago.

Although M.E.Doc is widely unknown outside Ukraine's accounting field, the company's software is used by more than 80% of accounting firms in the eastern European country. That's roughly 400,000 clients, according to researchers. The app lets its users send and work together on financial data between various departments and divisions, and also work with the Ukrainian tax department.

At this point, Demedyuk and the Ukrainian Cyber Police are still trying to piece together exactly what happened and who is responsible. However, Ukraine's military intelligence (with some help from local security software vendors) has discovered that many of the first cases of NotPetya malware were propagated thanks to an infected update released by none other than M.E.Doc. Naturally, the owners of the accounting software company deny it. As of the time of writing, the owners of the company have still not been available for comment.

A company called Premium Service, claiming to be the official distributor of M.E.Doc products, posted a comment on M.E.Doc's social media accounts saying unknown men wearing masks were rummaging through M.E.Doc's offices and that the accounting software company's systems were taken offline.

Yulia Kvitko, a spokesperson for Ukraine's Cyber Police, explained that the investigation was not over yet and there were still police officers at M.E.Doc's central office. Kvitko added that further statements would be released at a later date.

Ukraine's Cyber Police teams took notice of the firm only after cyber-security experts discovered convincing proof last Tuesday, which lead them to believe that the massive hacking campaign had been planned for a long time, weeks or even months. The attackers were very skilled and experienced men, who police say corrupted M.E.Doc's software with a unique vulnerability.

The experts at Slovakian security software company ESET commented the situation. Their researchers stated that they had discovered a backdoor coded into M.E.Doc's app updates, which means the hackers had to have had accounting firm's source code. Otherwise, the hackers would likely not been able to do this undetected.

"We identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc's legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc's source code," Senior malware expert at ESET Anton Cherepanov noted."This was a thoroughly well-planned and well-executed operation," he added.

ESET researchers said that a minimum of three M.E.Doc updates had been infected with the vulnerability exploit. According to them, the very first one was released on April 14 this year. The infection remained undetected for more than two months before the attack.

After the large-scale attack had hit various firms in Ukraine, the Ukrainian government took action last Tuesday to extend the country's state tax deadlines by a whole month to relieve companies, who fell victim by the NotPetya malware. Last Saturday Ukraine's intelligence agencies accused Russia of being responsible for the hack after software security experts connected it to a suspected Russian hacker group, who many believe was responsible for the massive power outage in Kiev last years.

Unsurprisingly, Moscow has denied the accusations.