As per the results of an initial analysis by Cisco’s Talos unit, the motive for the cyberattacks has been established.
The Ukrainian software company that hackers used to launch their global cyberattack warned that all nodes on its network have been compromised by hackers.
As per investigators, the virus, dubbed as “NotPetya” by experts, not only disrupted business activities across the globe but is now thought to be far more nefarious than previously envisaged.
As per a top official from the Ukrainian Presidential Administration, the number of systems the global cyberattack left in its trail is yet being counted. The country’s security service is now trying to establish what the hackers are going to do with the stolen data.
A video released by the Ukrainian police showed masked men in combat fatigues armed with assault rifles raiding the offices of Intellect Service on Tuesday. This occurred after cyber security researchers disclosed they had found a “back door” in some of the updates provided by M.E.Doc accounting software.
This accounting software is used extensively in Ukraine – nearly 80% of the 1 million computer users in the country use it for their accounting purposes.
As per Ukraine’s Interior Minister, Arsen Avakov, the police have blocked a second cyberattack from servers hosting this accounting software.
The company that created the M.E.Doc accounting software had previously denied that its servers had been compromised. However on Wednesday, when question on the insertion of the Trojan, the company’s Chief Executive Olesya Bilousova said: “Yes, there was. And the fact is that this back door needs to be closed.”
She went on to add, any computer on the company’s network or using its M.E.Doc software is vulnerable to another attack.
“We need to pay the most attention to those computers which weren’t affected (by last week’s attack),” said Bilousova. “The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”
As per Dmytro Shymkiv, the deputy head of Ukraine’s presidential administration who is also a former director of Microsoft in Ukraine, the latest evidence points to an advanced and well-orchestrated attack.
“I am looking through the analysis that has been done on the M.E.Doc server, and from what I’m seeing, that’s worrying. Worrying is a very light word for this. How many back doors are still open? We don’t know,” said Shymkiv.
“We are in a new phase of cyber security and the way that sophisticated actors behave,” said Leo Taddeo, a former FBI cyber investigator and executive with cyber security firm Cyxtera Technologies. “I can’t think of a supply chain attack that has been this thorough.”
Investigators are still trying to establish who was behind last week’s global cyberattack. While Ukraine has blamed Russia for the attack, the U.S. government has yet to come to the same conclusion.
As per cyber security experts from Cisco Systems Inc, who examined the infected machines at the invitation from the Ukrainian company, the attacker had used a stolen password to log into the company’s network.
Having gained the password, the attack escalated the access rights of the users to rewrite config files, and direct customers seeking updates of the accounting software to a hacked version hosted by a French web hosting company.
As per Craig Williams, senior technical leader for Cisco’s Talos intelligence unit, the infected software may have spread through other means, with the attackers using the backdoor to install other tools. However, with the infected machines, being part of a botnet, awaiting a command from its controller, which has been taken offline, they do not pose any threat.
The big worry however are the infected updates, said Williams. With the company’s servers being disabled, it is unable to push out “clean” updates to its customers.
As per Williams, Cisco’s Talos unit believes the hackers were connected to previous attacks on Ukraine’s electric grid. Although it was “tempting” to ascribe the new attack to a national government, the lack of a profit motive however makes these accusations challenging to prove.
“This wasn’t made for any other purpose but to destabilize businesses in the Ukraine,” said Williams.
“Initially everybody thought, including me, that it was just an attack with a virus. It was not an attack with a virus, it was opening a back door, which was a hack of the computer networks on a broad scale and then eliminating the results with a virus,” said Shymkiv, deputy head of Ukraine’s presidential administration.
“It’s like a robber, you get to the house, you steal everything, and then you burn it.”