The Ukrainian cyber police on Tuesday seized the servers of popular tax software company, MeDoc which became the first victim of the crippling NotPetya malware attack. The seizure came as part of ongoing investigation into the attack. Sergei Linnik and his daughter Olesya who run the firm are blamed for unwittingly spread the infection that attacked many major global firms last week.
MeDoc is one of only two programs that are officially authorised by the Ukraine government. While no one has accused the firm of intentionally spreading the worm, it’s believed that it was first pushed out through a software update to the tax software. Because it’s tax season in Ukraine, this was a very effective strategy for the hackers who are responsible.
Police believe that the operation was planned months in advance, and security firm ESET has determined that a backdoor was written into MeDoc’s updates. ESET researcher Anton Cherepanov says it’s likely that the hackers who are responsible had access to MeDoc’s source code. That report traces the first injection of a backdoor vulnerability to April 14th.
However, Intellect Service has denied that its software helped spread the malware.
Col. Serhiy Demydiuk, the head of Ukraine’s national Cyberpolice unit, has not accused anyone at MeDoc of being involved with the attack. He has said that the company was warned multiple times about potential security vulnerabilities in its systems. “They knew about it,” Demydiuk told the Associated Press. “They were told many times by various anti-virus firms… For this neglect, the people, in this case, will face criminal responsibility.”
Premium Service, which says it is an official dealer of MeDoc’s software, wrote a post on MeDoc’s Facebook page saying masked men were searching MeDoc’s offices and the software firm’s servers and services were down.
The owners did not comment on the issue.
The cyber-attack – a variant of an earlier virus called Petya – hit businesses around the world including the shipping firm Maersk and the marketing giant WPP.