UKRANIAN POLICE have seized the servers of Intellect Service, the company responsible for accounting firm ME Doc whose software was compromised to propagate the NotPetya malware last week,
The head of Ukraine's cyber police, Serhiy Demedyuk, confirmed the seizure on Tuesday. This followed claims by one of the company's official dealers on Facebook that "masked men" were searching ME Doc's offices, and that the company's servers and services were down. The company fully cooperated in the raid, according to the police report.
Demedyuk's team claims that ME Doc was compromised as a result of a 'classic supply chain attack', which would have required access to ME Doc's source code.
"Once they have access to the source code, they installed a backdoor in one of the program updates, which installs unauthorised remote access [Trojan] on the computers of ME Doc users," the police report suggested.
The software update, it added, "probably took place on 15 May 2017", while the attack was perpetrated in order to disrupt the Ukrainian economy under the cover of ransomware.
While that claim remains to be proven, it does highlight another weak point in modern economies, and that "essential infrastructure" that could be targeted in a nation-state cyber attack need not necessarily be the utilities, such as power stations and other elements of the electricity infrastructure, that most people automatically think of as essential infrastructure.
The police report also suggests that there may be a link between the WannaCry ransomware propagated in May and NotPetya.
The police also advised users of ME Doc to disconnect any PCs running the software and to change passwords and digital signatures. It warned that organisations taken down by NotPetya could also be compromised in future as a result.
Intellect Service's ME Doc accounting software is used by 80 per cent of businesses in Ukraine. As a result of the disruption caused by the attack Ukrainian authorities have extended the deadline for filing end-of-year tax returns by one month to help businesses whose preparation might be affected by the sudden removal of the service.
The police raid comes after someone removed around $10,000 in Bitcoin from the wallet set-up in connection with the malware overnight. The funds were transferred to a different Bitcoin wallet, following a couple of test transfers with small denominations.
NotPetya, which was launched on 27 June via the compromised servers of ME Doc, utilises ransomware similar to Petya in order to supposedly encrypt files.
Analyses of the malware indicate that it made use of US National Security Agency (NSA) exploits that ought to have enabled it to self-propagate once released into the wild and that those exploits were absorbed into the malware before the exploits were publicly released.
Victims are then requested to make a payment in bitcoin to a particular account in order to receive a decryption key. However, the NotPetya ransomware destroys files rather than encrypting them, and keys are therefore not distributed to people who pay the ransom.
Criminal charges may be levied against ME Doc after claims that managers ignored security warnings from security specialists and staff. µ
Could face hefty fines and ban in Russia if it fails to comply
What next?! Self-driving planes... oh wait
It's expected to last for 'a number of weeks'