The accounting software firm at the center of the recent Nyetya malware virus has been raided by Ukrainian police. On Tuesday, local police seized servers of M.E.Doc, which started the infection that crippled systems through companies around the world.
Serhiy Demedyuk, Ukraine’s Cyber Police chief, told Reuters the servers of the company were taken as part of the investigation into the attack. M.E.Doc is the biggest accounting software suppliers and the spread of Nyetya came through a malicious update sent by the company.
At the moment, Ukrainian police are not saying M.E.Doc was behind the attack. Cyber security investigators revealed the attack was months in the making and was perpetrated by high-level hackers.
It seems that these actors placed the vulnerability into the M.E.Doc program. Slovakia-based security company ESET says it found a backdoor into M.E.Doc’s software:
“VERY STEALTHY AND CUNNING”
“We identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules,” ESET senior malware researcher Anton Cherepanov said in a technical note. “It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.”
“This was a thoroughly well-planned and well-executed operation,” he added.
ESET says the backdoor has been active for some time. Indeed, M.E.Doc has sent out at least three updates that have carried the vulnerability. The first of these releases was issued on April 14.
Spreading the Malware
Oleg Derevianko, chairman of the Ukrainian cyper security company ISSP, says M.E.Doc’s April update opened the door for hackers and allowed them to spread the virus to the company’s clients.
Each client machine that took the update was instructed to download the malware through a 350 megabytes file from an unknown source.
“With this 35 megabytes you can exfiltrate anything – emails from all of the banks, user accounts, passwords, anything.”