Ukraine Police Trace Petya Attack Source

Uploaded on 2017-07-05 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A vulnerability within an obscure piece of Ukrainian accounting software is the root cause of the massive Petya cyberattack that  broke out last week, according to the Ukrainian law enforcement. 

The attack hit Ukrainian utilities and airline services, US based pharmaceutical company Merck, Russian oil giant Rosneft and even forced operators at the Chernobyl nuclear power plant to switch to manual radiation monitoring of the site. 

The software is called Me.DOC, it’s basically an application for tax reporting and filing for companies that do business in Ukraine. At about 10:30 a.m. GMT Tuesday 27th June. Me.Doc ran an automatic update on the software, a routine event and that connected every version of Me.Doc on every computer on which it had been installed (so long as it was online) to this address: 92.60.184.55.

That by itself is not unusual.
As the Ukrainian police’s cyber division explained in a Facebook post, updates from Me.doc are usually rather small, about 300 bytes. This update ran 333 kilobytes, orders of magnitude larger. Once host computers download the update, becoming infected, the malware creates a new file called Rundll32.exe. Next it contacts a different network. It then starts running new commands, taking advantage of a particular Windows vulnerability, the same Microsoft vulnerability, called EternalBlue SMB, targeted by WannaCry. 

The US National Security Agency detected the vulnerability and it was contained in a group of stolen documents that made their way onto the Web via a group called the Shadowbrokers. However, the NSA did disclose the vulnerability to Microsoft, which issued a patch, long before the WannaCry virus spread. 

Defense One verified the Ukrainian police’s post with a second researcher who had direct knowledge of the attack and the malware in question. Other cyber security researchers with Russia-based Kaspersky Labs also began pointing to Me.DOC  as the likely point of spread.

At this point, no one has claimed responsibility for the attack and authorities have yet to make a hard determination about attribution. 

Actors backed by the Russian government have been targeting portions of Ukrainian infrastructure since 2015 when a massive attack by a group knocked out power to more than 225,000 people in Ukraine. But WannaCry has been linked to actors outside of Russia, namely North Korea. It’s a finding that some researchers dispute. 

DefenseOne

You Might Also Read:

How A Nation Became Russia's Cyberwar Experiment:

 

« Cyberwar: A New Front For US Military
Cybersecurity Is Too Important To Leave To IT »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Exodus Intelligence

Exodus Intelligence

Exodus Intelligence are an industry leading provider of exclusive zero-day vulnerability intelligence, exploits, defensive guidance, and vulnerability research trends.

Okta

Okta

Okta is an enterprise-grade identity management service, built from the ground up in the cloud to address the challenges of a cloud-mobile-interconnected world.

Willis Towers Watson

Willis Towers Watson

Willis Towers Watson is a global risk management, insurance brokerage and advisory company. Services offered include Cyber Risks insurance.

OSSEC

OSSEC

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).

Plixer

Plixer

Plixer delivers a network traffic analytics system used for monitoring, visualization, and reporting of network and security incidents.

Seculert

Seculert

The Seculert Attack Detection & Analytics Platform combines machine-learning based analytics and threat intelligence to automatically detect cyber attacks inside the network.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

Secure Recruitment

Secure Recruitment

Secure Recruitment is a specialist Executive Search business that focuses its efforts on attracting specific exceptional talent in Cyber Security.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

ChainSecurity

ChainSecurity

ChainSecurity provides products and services for securing smart contracts and blockchain protocols and conducts R&D in the areas of security, program analysis, and machine learning.

Plug and Play Tech Center

Plug and Play Tech Center

Plug and Play is the ultimate innovation platform, bringing together the best startups and the world’s largest corporations.

National CyberWatch Center - USA

National CyberWatch Center - USA

National CyberWatch Center is a cybersecurity consortium working to advance cybersecurity education and strengthen the national workforce.

IT Band Systems

IT Band Systems

IT Band Systems is an international provider of IT products and services including web server monitoring and web security consulting.

Omega Systems

Omega Systems

Omega Systems is a leading managed service provider (MSP) and managed security service provider (MSSP) to mid-market organizations.

FoxPointe Solutions

FoxPointe Solutions

FoxPointe Solutions is a full-service cyber risk management and compliance firm.

Securitybricks

Securitybricks

Securitybricks specialize in cloud security and compliance. Our mission is to automate regulatory compliance backed by human validation.