Microsoft, analysts see hack origin at Ukrainian software firm

Register now

(Bloomberg) -- Microsoft Corp., cybersecurity analysts, and Ukrainian police say the global hack that has disrupted companies across the globe can be traced to a Ukrainian accounting software producer called M.E.Doc.

The cybercrime unit of the Ukrainian police said late Tuesday that a software upgrade from M.E.Doc unwittingly contained the virus. Microsoft said in a blog post that the initial infection “appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc” and that it has evidence that some active infections started from the software maker’s updates.

“One infection vector used in this campaign was the M.E.Doc software,” John Miller, senior manager at cybersecurity firm FireEye, said in an email. Aleks Gostev, Kaspersky Lab’s chief security expert, also said M.E.Doc appeared to be the source of the malware.

M.E.Doc did not respond to requests for comment. In a Facebook post M.E.Doc said “major anti-virus companies” had vetted its software and that it has no responsibility for spreading the virus. The company said that like other victims, some of its services had been affected by the attack, and that it’s working to restore them.

The attack Tuesday popped up in government systems in Kiev, then disabled operations at companies including Rosneft PJSC, advertiser WPP Plc, and the Chernobyl nuclear facility. More than 80 companies in Russia and Ukraine were initially affected, Moscow-based cybersecurity company Group-IB said. The hack quickly spread from Russia and Ukraine through Europe and into the U.S. and Asia.

A.P. Moller-Maersk A/S, one of those hardest hit by the attack, has shut down systems across its operations as it assesses the full impact. The container carrier has posted a job announcement in Kiev seeking staff with M.E.Doc experience.

--With assistance from Stepan Kravchenko

For reprint and licensing requests for this article, click here.