Ukraine Police Trace Petya Attack Source

Uploaded on 2017-07-05 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A vulnerability within an obscure piece of Ukrainian accounting software is the root cause of the massive Petya cyberattack that  broke out last week, according to the Ukrainian law enforcement. 

The attack hit Ukrainian utilities and airline services, US based pharmaceutical company Merck, Russian oil giant Rosneft and even forced operators at the Chernobyl nuclear power plant to switch to manual radiation monitoring of the site. 

The software is called Me.DOC, it’s basically an application for tax reporting and filing for companies that do business in Ukraine. At about 10:30 a.m. GMT Tuesday 27th June. Me.Doc ran an automatic update on the software, a routine event and that connected every version of Me.Doc on every computer on which it had been installed (so long as it was online) to this address: 92.60.184.55.

That by itself is not unusual.
As the Ukrainian police’s cyber division explained in a Facebook post, updates from Me.doc are usually rather small, about 300 bytes. This update ran 333 kilobytes, orders of magnitude larger. Once host computers download the update, becoming infected, the malware creates a new file called Rundll32.exe. Next it contacts a different network. It then starts running new commands, taking advantage of a particular Windows vulnerability, the same Microsoft vulnerability, called EternalBlue SMB, targeted by WannaCry. 

The US National Security Agency detected the vulnerability and it was contained in a group of stolen documents that made their way onto the Web via a group called the Shadowbrokers. However, the NSA did disclose the vulnerability to Microsoft, which issued a patch, long before the WannaCry virus spread. 

Defense One verified the Ukrainian police’s post with a second researcher who had direct knowledge of the attack and the malware in question. Other cyber security researchers with Russia-based Kaspersky Labs also began pointing to Me.DOC  as the likely point of spread.

At this point, no one has claimed responsibility for the attack and authorities have yet to make a hard determination about attribution. 

Actors backed by the Russian government have been targeting portions of Ukrainian infrastructure since 2015 when a massive attack by a group knocked out power to more than 225,000 people in Ukraine. But WannaCry has been linked to actors outside of Russia, namely North Korea. It’s a finding that some researchers dispute. 

DefenseOne

You Might Also Read:

How A Nation Became Russia's Cyberwar Experiment:

 

« Cyberwar: A New Front For US Military
Cybersecurity Is Too Important To Leave To IT »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

E-Tech

E-Tech

E-Tech has been providing system support and information technology consulting services including Internet and Network Security assessments.

iboss Network Security

iboss Network Security

The iboss cloud is designed to deliver Network Security as a Service, in the cloud, using the best malware engines, threat feeds and log analytics engines.

BitSight Technologies

BitSight Technologies

BitSight transforms how companies manage information security risk with objective, verifiable and actionable Security Ratings.

CyPhyCon

CyPhyCon

CyPhyCon is an annual event exploring threats and solutions to cyber attacks on cyber-physical systems such as industrial control systems, Internet of Things and Industrial Internet of Things.

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

SurePassID

SurePassID

SurePassID is a provider of highly secure, highly extensible multi-factor authentication (MFA) solutions.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

D2 Network Associates (D2NA)

D2 Network Associates (D2NA)

D2NA help businesses deliver and achieve their goals, through innovative IT solutions, robust cyber security services and proactive IT managed services.

Aravo Solutions

Aravo Solutions

Your Extended Enterprise is full of hidden risks – Aravo makes them visible, measurable, and manageable.

Privasee

Privasee

Make GDPR compliance simple with Privasee. Our software makes it easy to protect your data and ensure you’re compliant with the new regulations.

Aim Security

Aim Security

Aim empowers enterprises to unlock the full potential of GenAI technology without compromising security. GenAI makes business better - Aim makes GenAI secure.

Fairly AI

Fairly AI

Fairly AI is on a mission to democratize safe, secure, and compliant AI across the enterprise.

PlanNet 21 Communications

PlanNet 21 Communications

PlanNet 21 Communications is Ireland most specialised technology solution provider.

Hakai Security

Hakai Security

Hakai is a consulting firm specializing in information security that offers customized services and products to meet the needs and goals of each business.

Innerworks

Innerworks

Innerworks intelligent bot detection. Innerworks is building the future of behavioural data on web3.

Hanwha Systems

Hanwha Systems

Hanwha Systems is a global company based in South Korea providing defense electronics and smart ICT solutions.