A secret backdoor placed into a Kiev-based accountancy firm's software may have been the spark for a global cyberattack.

Blame for the catastrophic cyberattack, which rapidly spread from its starting point of Ukraine in June, has begun to fall upon a company called M.E.Doc that produces tax-preparation programs which are widely used in the country.

Consensus among security researchers is that the malware, which is now being referred to as NotPetya, initially spread itself to victims after through M.E.Doc's software update mechanism.

It was able to access this through "a very stealthy and cunning backdoor" which a hacker had placed into the source code for the program, according to researcher Anton Cherepanov.

Cherepanov, who is a senior malware researcher at security company Eset, described the attack as "a thoroughly well-planned and well-executed operation."


Although NotPetya presented itself as ransomware and sought to solicit money from the victims, researchers believe that this was a masquerade.

Its true purpose was not to collect money and decrypt files, but to damage the systems it infected.

Image: A supermarket in Kharkiv, Ukraine, hit by the cyberattack Credit: @golub

Colonel Serhiy Demydiuk, who heads Ukraine's national cybercrime unit, told the Associated Press that M.E.Doc employees had known for some time about vulnerabilities affecting its software and systems, but had not attempted to patch these flaws.

"They knew about it," Colonel Demydiuk said. "They were told many times by various anti-virus firms.

"For this neglect, the people in this case will face criminal responsibility."

The cyberattack caused major disruptions for large organisations around the world, affecting parts of the Ukrainian government's computer systems, the radiation monitoring system at Chernobyl, and the IT systems at European bank BNP Paribas.

One government official estimated that as many as 10% of personal computers in the country may have been compromised by NotPetya.

In the UK, the FTSE 100 company Reckitt Benckiser (RB), which has the Nurofen, Dettol and Durex brands in its stable, said the cyberattack resulted in a loss of sales.

Speaking to Sky News, the director of global research and analysis teams at security business Kaspersky, Costin Raiu, said that while there were no new infections now being detected, for most companies the damage had already been done.

"Most business were paralysed for first three or four days," said Mr Raiu, "but after about six days, 90% of victims had managed to overcome it" with no way of recovering the revenue lost in that period.

Police in Ukraine raid the offices of M.E.Doc

Just like the WannaCry attack which hit the NHS in the UK, NotPetya also used the same Eternal Blue exploit developed by the National Security Agency in the US and stolen and released to the public.

Mr Raiu told Sky News it was not possible to confidently attribute the attack to a definite actor, but Kaspersky and colleagues from security company Palo Alto were able to identify similarities between the threat actor and another which has attacked Ukraine before.

Called "Black Energy", the threat actor has "never been publicly attributed to any state-sponsored actor. There is actually speculation they might be hackers for hire, or a criminal organisation working as cyber mercenaries.

"They show up committing disruptive attacks in Ukraine," said Mr Raiu; kinds of cyber activities which governments do not want to be implicated in the commission of.

He suggested that a mercenary group could provide a hostile government with insulation for such claims, but it was not possible to provide confirmation of that at this stage of the investigation.