MEDoc employees face criminal charges over NotPetya spread
Image: Q8India.

On Tuesday, Ukraine’s Cyber Police seized the servers of Intellect Service, the developers of MEDoc. The accounting software was the source of the NotPetya malware attack last week, and Col. Serhiy Demydiuk, head of the division, said company employees knew about it and will face criminal charges.

The move comes after Ukrainian authorities learned additional details about the attack on early Tuesday, following extensive investigations since ExPetr/NotPetya started spreading roughly a week ago. Researchers found the malware had been planted months in advance.

Only now are businesses starting to recover and operate at full speed again, after spending most of the past few days engaged in salvaging data and bringing their systems back online.

MEDoc developers knew about the malware, authorities say

Col. Serhiy Demydiuk told The Associated Press he had reliable information that indicated Sergei and Olesya Linnik, the father and daughter duo who run Intellect Service, had been warned by cyber security firms about vulnerabilities in their system but ignored them anyway.


The Linniks, on the other hand, deny these accusations and claim they were just as clueless as everyone else about the apparently impending attack. In an interview with Reuters, they said they had checked MEDoc “100 times” for signs of hacking and “everything is fine.”

MEDoc, which is used by more than 80% of all companies in Ukraine to file their taxes directly with government entities and share financial documents among employees, was found to be patient zero of NotPetya by Microsoft, ESET, Kaspersky Labs, Cisco, Symantec, and even Ukraine’s own ISSP.

Ukraine accuses Russia of being behind the NotPetya attack

Ukraine - Russia - notpetya - expetr
Image: The American Interest.

Several of these cyber security firms have tracked a vulnerability in the update infrastructure of the software that could have possibly provided a backdoor to hackers into the source code of MEDoc. From there, they implanted ExPetr/NotPetya and waited a couple of months to launch the attacks.

Since April, Intellect Service has issued three MEDoc updates that are compromised from a cyber security standpoint. Over the weekend, National authorities said they believe the whole scheme could only have been perpetrated by a nation-state and pointed fingers at Russia as the potential perpetrator.

SBU, Ukraine’s security service, accused its Russian Federation counterpart of involvement in the attack after finding evidence linking NotPetya to BlackEnergy and the TeleBots hacking group, a malware stream and an organization supposedly responsible for various attacks to the power grid of the neighboring country.

ESET security researchers confirmed that there were indeed similarities between the attacks and that the TeleBots group had carried out schemes similar to ExPetr/NotPetya before.

A NATO advisor has also said Ukraine could pursue retaliation against Russia because, since the malware took down a large part of the country’s infrastructure including government platforms, the attack could be considered an offense to the nation’s sovereignty.

Source: The Associated Press