The source of a crippling cyberattack Tuesday that disabled automated systems in governments, banks, grocery stores, an airport and more throughout Europe and the U.S. is still a mystery as several experts singled out a Ukrainian accounting software as the culprit.
“The suspicions are that this is a criminal motive. Why? Because they’re asking for money,” Carl Herberger from cybersecurity firm Radware told CBS News’ Elizabeth Palmer.
The attack, a variation of the ransomware Petya, started in Kiev and spread all over the world. It had two layers of encryption meaning files and their backups could be infected which is more advanced than most cyberattacks. Security experts said the attack shares a similarity with last month’s WannaCry attack: Both spread by using digital break-in tools purportedly created by the U.S. National Security Agency and recently leaked online.
Infected computers told users to pay $300 in crypto-currency bitcoin. Corporate titans from New Jersey-based Merck pharmaceuticals to the Danish shipping company Moller Maersk to Russian oil giant Rosneft were hit in the attack.
How the software was spread is not yet known, but several experts singled out Ukrainian accounting software called MEDoc which in a brief message posted to its website acknowledged having been hacked. A series of tweets issued by Ukraine’s cyberpolice unit singled out MEDoc.
Several vendors including Kaspersky Lab and Cisco have already identified MEDoc as a likely vector for the initial infections. Ukraine’s cyberpolice said Tuesday that the rogue update occurred around 10:30 a.m. local time, seeding the infection to an undisclosed number of organizations across the country. Then, just as a few dropped matches can feed a forest fire, the ransomware spread rapidly from there.
In a lengthy statement posted to Facebook, MEDoc acknowledged having been hacked but said it was not responsible for having seeded the rogue program.
Ukraine’s cyberpolice unit acknowledged the company’s statement but stood by its analysis. It stressed that it was not attributing blame to the company.
The FBI issued a statement Thursday saying they were aware of the attack and said “threat mitigation, as well as bringing the perpetrators of cyber-attacks to justice, are the FBI’s top priorities.”
The U.S. Department of Homeland Security issued a statement earlier Tuesday saying it is monitoring reports of attacks “affecting multiple global entities” and is “coordinating with our international and domestic cyber partners,” offering confidential analysis and technical support.
The German company whose email service was used to help coordinate payments linked to the latest surge of ransom software says it pulled the plug on the account before news of the outbreak became widely known.
In a blog post, the Posteo service said it blocked the email address “immediately” after learning that it was being used as a point of contact for the ransomware’s presumed creators. The post said the block happened around midday in Germany, well before reports began circulating about problems linked to its spread.
While the block prevented the hackers behind the ransomware release from capitalizing on the explosive infection rate, it may also strand victims with no obvious way of retrieving files scrambled by the rogue program.