The Jim Bakker Show

Ukraine finally battens down its leaky cyber hatches after attacks

FILE PHOTO: A message demanding money is seen on a monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyber attacks earlier in the day, in Kiev, Ukraine, June 27, 2017. REUTERS/Valentyn Ogirenko/File Photo

By Matthias Williams

KIEV (Reuters) – When the chief of Microsoft Ukraine switched jobs to work for President Petro Poroshenko, he found that everyone in the office used the same login password. It wasn’t the only symptom of lax IT security in a country suffering crippling cyber attacks.

Sometimes pressing the spacebar was enough to open a PC, according to Dmytro Shymkiv, who became Deputy Head of the Presidential Administration with a reform brief in 2014.

Today discipline is far tighter in the president’s office. But Ukraine – regarded by some, despite Kremlin denials, as a guinea pig for Russian state-sponsored hacks – is fighting an uphill battle in turning pockets of protection into a national strategy to keep state institutions and systemic companies safe.

As in many aspects of Ukrainian life, corruption is a problem. Most computers run on pirated software, and even when licensed programs are used, they can be years out of date and lack security patches to help keep the hackers at bay.

Three years into the job, Shymkiv is leading the fight back. He has put together a team, led by a former Microsoft colleague, doing drills, sending out email bulletins to educate staff on new viruses and doing practice hacks offsite.

In the early days, staff complacency and resistance to change were as much a problem as insecure equipment.

“I remember the first weeks when we forced people to do a password change,” Shymkiv told Reuters. “My team heard all kind of screams and disrespectful messages … Over three years, it’s a different organization.”

The team’s small office has a screen with dials, charts and a green spider web showing activity on the network. If there is an attack, a voice shouts “major alarm!” in English, a recording the team downloaded from YouTube.

Eliminating bad practices and introducing good ones is the reason, Shymkiv believes, why the presidential administration was immune to a June 27 virus that spread from Ukraine to cause disruption in companies as far away as India and Australia.

But the country still has a long way to go. Since 2014 repeated cyber attacks have knocked out power supplies, frozen supermarket tills, affected radiation monitoring at the stricken Chernobyl nuclear power plant, and forced the authorities to prop up the hryvnia currency after banks’ IT systems crashed.

Even Poroshenko’s election that year was compromised by a hack on the Central Election Commission’s network, trying to proclaim victory for a far-right candidate — a foretaste of alleged meddling in the 2016 U.S. presidential election.

Ukraine believes the attacks are part of Russia’s “hybrid war” waged since protests in 2014 moved Ukraine away from Moscow’s orbit and closer to the West. Moscow has denied running hacks on Ukraine.

Shymkiv said the task is to “invest in my team, and upgrade them, and teach them, and connect them with other organizations who are doing the right things”.

“If you do nothing like this, you probably will be wiped out,” he added.

The head of Shymkiv’s IT team, Roman Borodin, said the administration is hit by denial-of-service (DDoS) attacks around once every two weeks, and by viruses specifically designed to target it. The hackers seem mainly interested in stealing information from the defense and foreign relations departments, Borodin told Reuters in his first ever media interview.

HONOR AT STAKE

Bruised by past experiences, Ukraine is protecting itself better.

Finance Minister Oleksandr Danylyuk told Reuters his ministry overhauled security after a hack in November crashed 90 percent of its network at the height of budget preparations.

Officials couldn’t log into the system that manages budget transactions for 48 hours, something that played on Danylyuk’s mind as he addressed the Verkhovna Rada or parliament.

“Imagine that, knowing this, I went to the Verkhovna Rada to present the budget – the main financial document on which 45 million people live – and at the same time I was thinking about how to save not only the document itself, but also the honor of the ministry,” he said.

“I understood that if I showed even the slightest hint of our nervousness, the organizers of the attack would achieve their goal.”

Consultants uncovered familiar weaknesses: the budget system operated on a platform dating from 2000, and the version of the database management system should have been upgraded in 2006.

The ministry is introducing new systems to detect anomalies and to improve data protection. “We’re completely revising and restructuring the ministry’s IT landscape,” Danylyuk said.

The ministry emerged unscathed from the June 27 attack. Others weren’t so lucky: Deputy Prime Minister Pavlo Rozenko tweeted a picture of a crashed computer in the cabinet office that same day.

Ukraine is also benefiting from help from abroad.

A cyber police force was set up in 2015 with British funding and training in a project coordinated by the Organization for Security and Co-operation in Europe (OSCE).

While Ukraine is not a NATO member, the Western alliance supplied equipment to help piece together who was behind the June attack and is helping the army set up a cyber defense unit.

Ukraine shares intelligence with neighboring Moldova, another ex-Soviet state that has antagonized Moscow by moving closer to the West and complains of persistent Russian cyber attacks on its institutions.

“At the beginning of this year we had attacks on state-owned enterprises. If it were not for cooperation with the guys from Moldova, we would not have identified these criminals,” Serhiy Demedyuk, the head of the Ukrainian cyber police, told Reuters.

Demedyuk said the attack had been staged by a Russian citizen using a server in Moldova, but declined to give further details.

LAYING DOWN THE LAW

While there has been progress in some areas, Ukraine is still fighting entrenched problems. No less than 82 percent of software is unlicensed, compared with 17 percent in the United States, according to a 2016 survey by the Business Software Alliance, a Washington-based industry group.

Experts say pirated software was not the only factor in the June attack, which also hit up-to-date computers, but the use of unlicensed programs means security patches which could limit the rapid spread of such infections cannot be applied.

Ukraine ranked 60 out of 63 economies in a 2017 survey on digital competitiveness by the International Institute for Management Development. The low ranking is tied to factors such as a weak regulatory framework.

Another problem is that Ukraine has no single agency in charge of ensuring that state bodies and companies of national importance, such as banks, are protected.

This surfaced on June 27, when the NotPetya virus penetrated the company that produces M.E.Doc, an accounting software used by around 80 percent of Ukrainian businesses.

“Locally, the weak spot is accounting, but more generally it is the lack of cyber defenses at a government level. There aren’t agencies analyzing risks at a government level,” said Aleksey Kleschevnikov, the owner of internet provider Wnet, which hosted M.E.Doc’s servers.

Valentyn Petrov, head of the information security department at the National Security and Defence Council, said the state cannot interfere with companies’ security.

“It’s a total disaster from our perspective,” he told Reuters. “All state companies, including state banks, have suffered from attacks, and we really have no influence on them – neither on issuing regulations or checking how they fulfill these regulations.”

Poroshenko signed a decree in February to improve protection of critical institutions. This proposed legislation to spell out which body was in charge of coordinating cyber security and a unified methodology for assessing threats.

The law failed to gather enough votes the day before parliament’s summer recess in July, and MPs voted against extending the session. Shymkiv called that a “big disgrace”.

He added that in many ministries and firms, “we’ve seen very little attention to the IT infrastructures, and it’s something that’s been lagging behind for years”.

Attitudes can be slow to change. Borodin said a policy at the administration to lock computer screens after 15 minutes of inactivity was greeted with indignation. One staffer pointed out that their room was protected by an armed guard.

The staffer said “‘I have a guy with a weapon in my room. Who can steal information from this computer?'” Borodin recounted.

(Additional reporting by Pavel Polityuk, Jack Stubbs, Natalia Zinets and Margaryta Chornokondratenko in Kiev, Eric Auchard in Frankfurt and David Mardiste in Tallinn; editing by David Stamp)

North Korea hacking increasingly focused on making money more than espionage: South Korea study

A projection of cyber code on a hooded man is pictured in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Christine Kim

SEOUL (Reuters) – North Korea is behind an increasingly orchestrated effort at hacking into computers of financial institutions in South Korea and around the world to steal cash for the impoverished country, a South Korean state-backed agency said in a report.

In the past, suspected hacking attempts by North Korea appeared intended to cause social disruption or steal classified military or government data, but the focus seems to have shifted in recent years to raising foreign currency, the South’s Financial Security Institute (FSI) said.

The isolated regime is suspected to be behind a hacking group called Lazarus, which global cybersecurity firms have linked to last year’s $81 million cyber heist at the Bangladesh central bank and the 2014 attack on Sony’s Hollywood studio.

The U.S. government has blamed North Korea for the Sony hack and some U.S. officials have said prosecutors are building a case against Pyongyang in the Bangladesh Bank theft.

In April, Russian cybersecurity firm Kaspersky Lab also identified a hacking group called Bluenoroff, a spin off of Lazarus, as focused on attacking mostly foreign financial institutions.

The new report, which analyzed suspected cyber attacks between 2015 and 2017 on South Korean government and commercial institutions, identified another Lazarus spinoff named Andariel.

“Bluenoroff and Andariel share their common root, but they have different targets and motives,” the report said. “Andariel focuses on attacking South Korean businesses and government agencies using methods tailored for the country.”

Pyongyang has been stepping up its online hacking capabilities as one way of earning hard currency under the chokehold of international sanctions imposed to stop the development of its nuclear weapons program.

Cyber security researchers have also said they have found technical evidence that could link North Korea with the global WannaCry “ransomware” cyber attack that infected more than 300,000 computers in 150 countries in May.

“We’ve seen an increasing trend of North Korea using its cyber espionage capabilities for financial gain. With the pressure from sanctions and the price growth in cryptocurrencies like Bitcoin and Ethereum – these exchanges likely present an attractive target,” said Luke McNamara, senior analyst at FireEye, a cybersecurity company.

North Korea has routinely denied involvement in cyber attacks against other countries. The North Korean mission to the United Nations was not immediately available for comment.

ATM, ONLINE POKER

The report said the North Korean hacking group Andariel has been spotted attempting to steal bank card information by hacking into automated teller machines, and then using it to withdraw cash or sell the bank information on the black market. It also created malware to hack into online poker and other gambling sites and steal cash.

“South Korea prefers to use local ATM vendors and these attackers managed to analyze and compromise SK ATMs from at least two vendors earlier this year,” said Vitaly Kamluk, director of the APAC research center at Kaspersky.

“We believe this subgroup (Andariel) has been active since at least May 2016.”

The latest report lined up eight different hacking instances spotted within the South in the last few years, which North Korea was suspected to be behind, by tracking down the same code patterns within the malware used for the attacks.

One case spotted last September was an attack on the personal computer of South Korea’s defense minister as well as the ministry’s intranet to extract military operations intelligence.

North Korean hackers used IP addresses in Shenyang, China to access the defense ministry’s server, the report said.

Established in 2015, the FSI was launched by the South Korean government in order to boost information management and protection in the country’s financial sector following attacks on major South Korean banks in previous years.

The report said some of the content has not been proven fully and is not an official view of the government.

(Additional reporting by Jeremy Wagstaff in SINGAPORE; Editing by Soyoung Kim and Michael Perry)

Italy’s UniCredit reveals data attack involving 400,000 clients

By Paola Arosio and Gianluca Semeraro

MILAN (Reuters) – Suspected hackers have accessed client data of Italy’s biggest lender, UniCredit <CRDI.MI>, in two attacks in the past 10 months and affected about 400,000 Italian customers, the most serious data breach ever reported by a major Italian lender.

No passwords were stolen in the attacks, which first occurred in September and October of 2016 and again in June and July of this year, but personal and banking details could have been accessed, UniCredit said in a statement.

The attacks were carried out through an external commercial partner, which UniCredit did not identify. Wednesday’s statement also did not describe how the intruders accessed the data nor when the bank became aware of the first intrusion.

A source familiar with the matter said the bank had only uncovered the data breaches between Monday and Tuesday.

“The bank immediately adopted all necessary measures to prevent a repeat of such intrusions,” the bank said, adding that it had notified law-enforcement authorities.

The head of UniCredit’s information technology unit, Daniele Tonella, said none of the data accessed by the attackers allowed any financial transaction to be carried out.

“We don’t know why this data was acquired,” he told Reuters, adding that it also did not know who was behind the attacks.

Attacks on banks in recent years have become more sophisticated and resulted in mounting financial losses.

They have evolved beyond data breaches, in which personal information are stolen, to include denial-of-service attacks which have knocked out access to online banking services for up to several days and even intrusions into core banking systems.

Last November, attackers stole more than 2.5 million pounds ($3.25 million) from Tesco Bank in Britain’s largest disclosed cyber heist.

UniCredit shares were down 0.9 percent at 16.87 euros in late morning trade.

(Additional reporting by Silvia Aloisi; Editing by Mark Bendeich and Edmund Blair)

Half of German companies hit by sabotage, spying in last two years, BSI says

FILE PHOTO: A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

BERLIN (Reuters) – More than half the companies in Germany have been hit by spying, sabotage or data theft in the last two years, the German IT industry association Bitkom said on Friday, and estimated the attacks caused around 55 billion euros’ worth of damage a year.

Several high-profile attacks have occurred recently, such as the WannaCry ransomware attacks in May and a virus dubbed “NotPetya” that halted production at some companies for more than a week. Others lost millions of euros to organized crime in a scam called “CEO Fraud”.

Some 53 percent of companies in Germany have been victims of industrial espionage, sabotage or data theft in the last two years, Bitkom found – up from 51 percent in a 2015 study.

At the same time, the damage caused rose by 8 percent to around 55 billion euros a year, the survey of 1,069 managers and people responsible for security in various sectors found.

Arne Schoenbohm, president of Germany’s BSI federal cyber agency, said many big companies and especially those operating critical infrastructure were generally well-prepared for cyber attacks. But many smaller and medium-sized companies did not take the threat seriously enough, he said.

“The high number of companies affected clearly shows that we still have work to do on cyber security in Germany,” he said in a statement on Friday.

The BSI urged companies in Europe’s largest economy to make information security a top priority and said all companies need to report serious IT security incidents, even if anonymously.

Schoenbohm told Reuters in an interview that hardware and software makers should do their part to shore up cyber security and patch weaknesses in software more quickly once identified.

“There’s still a lot of work to be done,” he said. “We have to be careful that we don’t focus solely on industry and computer users, but also look at the producers and quality management.”

Some 62 percent of companies affected found those behind the attacks were either current or former employees. Forty-one percent blamed competitors, customers, suppliers or service providers for the attacks, Bitkom said.

Foreign intelligence agencies were found to be responsible in 3 percent of the cases, it said.

Twenty-one percent believed hobby hackers were responsible while 7 percent attributed attacks to organized crime.

(Reporting by Michelle Martin, Andrea Shalal and Thorsten Severin; Editing by Larry King and Hugh Lawson)

FedEx says cyber attack to hurt full-year results

A Federal Express truck is shown on deliver in La Jola, California, U.S., May 17, 2017. REUTERS/Mike Blake

(Reuters) – Package delivery company FedEx Corp <FDX.N> said a disruption in services in its TNT Express unit following a cyber attack last month would hurt its full-year results.

FedEx’s shares fell as much as 3.4 percent to $211.53 in early trading as the company said the financial impact of the disruption on its results was likely to be “material”.

The Netherlands-based TNT Express is still experiencing widespread service delays following the attack, caused by the Petya cyber virus that spread through a Ukrainian tax software product, FedEx said.

FedEx said it lost revenue due to decreased volumes at TNT Express and incurred incremental costs from contingency plans and remediation of affected systems.

The company said it did not have an insurance in place that covered the impact from the cyber attack.

FedEx, which is evaluating the financial impact of the cyber attack, said it was unable to estimate when services at TNT Express would be fully restored. (http://bit.ly/2uAnQKG)

The company also said no data breach or data loss to third parties was known to have occurred as of July 17.

The Petya cyber virus spread from Ukraine in June, crippling thousands of computers around the globe, with the shipping and logistics industry among those hit the hardest.

The malicious code encrypted data on machines and demanded victims $300 ransoms for recovery, similar to the extortion tactic used in the global WannaCry ransomware attack in May.

FedEx is scheduled to report its first-quarter results in September.

(Reporting by Ankit Ajmera in Bengaluru; Editing by Maju Samuel and Saumyadeb Chakrabarty)

German military aviation command launches cyber threat initiative

A German Air Force piolt poses inside the cockpit of an Airbus A400M military aircraft at the ILA Berlin Air Show in Schoenefeld, south of Berlin, Germany, June 1, 2016. Picture taken with a fish-eye lens. REUTERS/Fabrizio Bensch

By Andrea Shalal

BERLIN (Reuters) – The German military’s aviation safety chief has launched a new initiative against cyber threats, citing research that he said shows hackers can commandeer military airplanes with the help of equipment that costs about 5,000 euros ($5,700).

A defense ministry spokesman told Reuters that development of new “aviation cyber expertise” would cover everything from raising consciousness about cyber threats to technical research projects and equipping aircraft with protective systems.

State Secretary Katrin Suder had backed the idea, which Major General Ansgar Rieks, head of the German Military Aviation Authority, proposed in a letter in June, the spokesman said.

Rieks said last week that he was unnerved by a demonstration by the government-funded German Aerospace Center (DLR) in Bavaria showing hackers could take control of an aircraft with inexpensive equipment.

“That frightens me. I wrote to the state secretary about it and said doing nothing would amount to gross negligence,” he said at a talk at a conference in Bueckeburg, Germany. He said the issue was also a vital concern for civil aviation.

He said military officials needed to focus not just on potential problems with computer software, but should also work to “ensure that airplanes cannot be taken over from the ground, or possibly by a passenger in the air”.

A spokesman for the DLR, which has studied aviation cyber security extensively, had no immediate comment on the issue.

Germany’s military this year launched a new cyber command that groups cyber units from across the military, which will also involved in the new aviation cyber initiative.

Cyber resilience – making sure that systems can survive a cyber attack and keep functioning – was a major topic during a conference at Bundeswehr University Munich last month, the DLR spokesman said.

Germany’s military is also working on the aviation cyber issue within the European Union and NATO, he said.

Concerns about cyber attacks on aircraft and in the broader aviation sector have grown sharply in recent years with a growing barrage of attacks and breaches against other sectors.

Many experts fear that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes.

Rapid adoption of communication protocols similar to those used on the internet to connect cockpits, cabins and ground controls, have left air traffic open to vulnerabilities bedevilling other sectors such as finance and oil and gas.

(Reporting by Andrea Shalal; Editing by Louise Ireland)

Kansas nuclear operator is victim in hacking spree: Bloomberg

By Jim Finkle

(Reuters) – Hackers recently breached a Kansas nuclear power operator as part of a campaign that breached at least a dozen U.S. power firms, Bloomberg News reported on Thursday, citing current and former U.S. officials who were not named.

The Wolf Creek nuclear facility in Kansas was breached in the attack, according to Bloomberg.

A representative with the Wolf Creek Nuclear Operating Corp declined to say if the plant was hacked, but said it continued to operate safely.

“There has been absolutely no operational impact to Wolf Creek. The reason that is true is because the operational computer systems are completely separate from the corporate network,” company spokeswoman Jenny Hageman said in an email to Reuters.

The report identified the first known victims of a hacking campaign targeting the power sector that was first reported by Reuters on June 30. The attacks were described in a confidential June 28 U.S government alert to industrial firms, warning them of a hacking campaign targeting the nuclear, power and critical infrastructure sectors.

The U.S. Department of Homeland Security and Federal Bureau of Investigation said that hackers had succeeded in compromising networks of some targets, but did not name victims. The government also released a 30-page bulletin with advice on how firms could bolster security to defend against the attacks.

The alert said that hackers have been observed using tainted emails to harvest credentials to gain access to networks of their targets.

“Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.

Homeland Security and the FBI issued a statement to Reuters late on Thursday saying that the alert was part of an ongoing effort to advise industry of cyber threats.

“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks,” the agencies said.

A nuclear industry spokesman told Reuters on Saturday that hackers have never gained access to a nuclear plant.

The Homeland Security technical bulletin included details of code used in a hacking tool that suggest the hackers sought to use the password of a Wolf Creek employee to access the network.

Hageman declined to say if hackers had gained access to that employee’s account. The employee could not be reached for comment.

(Reporting by Jim Finkle in Toronto; Additional reporting by Dustin Volz in Washington; Editing by Bernard Orr)

Private not state hackers likely to have targeted UK parliament: sources

FILE PHOTO - The Union Flag flies near the Houses of Parliament in London, Britain, June 7, 2017. REUTERS/Clodagh Kilcoyne/File Photo

LONDON (Reuters) – A cyber attack on email accounts of British lawmakers last month is likely to have been by amateur or private hackers rather than state-sponsored, European government sources said.

The private email accounts of up to 90 of the 650 members of Britain’s House of Commons were targeted in late June, with some news reports suggesting that the attack was carried out by a foreign government, such as Russia.

However, cyber security experts had found that the hackers only managed to access accounts of lawmakers who used primitive and easily discovered passwords, the sources, who are familiar with the investigations into the attacks, said.

It remains unclear who did carry out the attack, they added.

Investigators hope the hack will convince politicians and other public figures to use more sophisticated passwords for their email and other online activities.

British authorities are not commenting publicly on the progress of investigations, but an official cautioned after the hack was discovered that “cyber threats to the UK come from criminals, terrorists, hacktivists as well as nation states.”

(Reporting by Mark Hosenball; Editing by Alexander Smith)

Ukraine software firm says computers compromised after cyber attack

FILE PHOTO - A projection of cyber code on a hooded man is pictured in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

KIEV (Reuters) – The Ukrainian software firm at the center of a cyber attack that spread around the world last week said on Wednesday that computers which use its accounting software are compromised by a so-called “backdoor” installed by hackers during the attack.

The backdoor has been installed in every computer that wasn’t offline during the cyber attack, said Olesya Bilousova, the chief executive of Intellect Service, which developed M.E.Doc, Ukraine’s most popular accounting software.

Last week’s cyber attack spread from Ukraine and knocked out thousands of computers, disrupting shipping and shut down a chocolate factory in Australia as it reached dozens of countries around the world.

Ukrainian politicians were quick to blame Russia for a state-sponsored hack, which Moscow denied, while Ukranian cyber police and some experts say the attack was likely a smokescreen for the hackers to install new malware.

The Ukrainian police have seized M.E.Doc’s servers and taken them offline. On Wednesday morning they advised every computer using M.E.Doc software to be switched off. M.E.Doc is installed in around 1 million computers in Ukraine, Bilousova said.

“… the fact is that this backdoor needs to be closed. There was a hacking of servers,” Bilousova told reporters.

“As of today, every computer which is on the same local network as our product is a threat. We need to pay the most attention to those computers which weren’t affected (by the attack). The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”

(Reporting by Jack Stubbs; writing by Matthias Williams; Editing by Toby Chopra)

Police seize servers of Ukrainian software firm after cyber attack

A view shows a laptop display (R) showing part of a code, which is the component of Petya malware computer virus according to representatives of Ukrainian cyber security firm ISSP, with an employee working nearby at the firm's office in Kiev, Ukraine July 4, 2017. REUTERS/Valentyn Ogirenko

By Jack Stubbs and Pavel Polityuk

KIEV (Reuters) – Ukrainian police on Tuesday seized the servers of an accounting software firm suspected of spreading a malware virus which crippled computer systems at major companies around the world last week, a senior police official said.

The head of Ukraine’s Cyber Police, Serhiy Demedyuk, told Reuters the servers of M.E.Doc – Ukraine’s most popular accounting software – had been seized as part of an investigation into the attack.

Though they are still trying to establish who was behind last week’s attack, Ukrainian intelligence officials and security firms have said some of the initial infections were spread via a malicious update issued by M.E.Doc, charges the company’s owners deny.

The owners were not immediately available for comment on Tuesday.

Premium Service, which says it is an official dealer of M.E.Doc’s software, wrote a post on M.E.Doc’s Facebook page saying masked men were searching M.E.Doc’s offices and that the software firm’s servers and services were down.

Premium Service could not be reached for further comment.

Cyber Police spokeswoman Yulia Kvitko said investigative actions were continuing at M.E.Doc’s offices, adding that further comment would be made on Wednesday.

The police move came after cyber security investigators unearthed further evidence on Tuesday that the attack had been planned months in advance by highly-skilled hackers, who they said had inserted a vulnerability into the M.E.Doc progamme.

Ukraine also took steps on Tuesday to extend its state tax deadline by one month to help businesses hit by the malware assault.

Researchers at Slovakian security software firm ESET said they had found a “backdoor” written into some of M.E.Doc’s software updates, likely with access to the company’s source code, which allowed hackers to enter companies’ systems undetected.

“VERY STEALTHY AND CUNNING”

“We identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules,” ESET senior malware researcher Anton Cherepanov said in a technical note. “It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.”

“This was a thoroughly well-planned and well-executed operation,” he said.

ESET said at least three M.E.Doc updates had been issued with the “backdoor vulnerability”, and the first one was sent to clients on April 14, more than two months before the attack.

ESET said the hackers likely had access to M.E.Doc’s source code since the beginning of the year, and the detailed preparation before the attack was testament to the advanced nature of their operation.

Oleg Derevianko, board chairman at Ukrainian cyber security firm ISSP, said an update issued by M.E.Doc in April delivered a virus to the company’s clients which instructed computers to download 350 megabytes of data from an unknown source on the internet.

The virus then exported 35 megabytes of company data to the hackers, he told Reuters in an interview at his office in Kiev.

“With this 35 megabytes you can exfiltrate anything – emails from all of the banks, user accounts, passwords, anything.”

Little known outside Ukrainian accounting circles, M.E.Doc is used by around 80 percent of companies in Ukraine. The software allows its 400,000 clients to send and collaborate on financial documents between internal departments, as well as file them with the Ukrainian state tax service.

Ukraine’s government said on Tuesday it would submit a draft law to parliament for the country’s tax deadline to be extended to July 15, and waive fines for companies who missed the previous June 13 cutoff because of the attack.

“We had program failures in connection to the cyber attack, which meant that businesses were unable to submit account reports on time,” Prime Minister Volodymyr Groysman told a cabinet meeting.

Separately, Ukraine’s security service, the SBU, said it had discussed cyber defense with NATO officials and had received equipment from the alliance to better combat future cyber attacks. Ukraine is not in NATO but is seeking closer ties.

On Saturday Ukrainian intelligence officials accused Russian security services of being behind the attack, and cyber security researchers linked it to a suspected Russian group who attacked the Ukrainian power grid in December 2016.

A Kremlin spokesman dismissed charges of Russian involvement as “unfounded blanket accusations”.

Derevianko said the hacker’s activity in April and reported access to M.E.Doc’s source code showed Ukraine’s computer networks had already been compromised and that the intruders were still operating inside them.

“It definitely tells us about the advanced capabilities of the adversaries,” he said. “I don’t think any additional evidence is needed to attribute this to a nation-state attack.”

(Additional reporting by Natalia Zinets; Writing by Jack Stubbs; Editing by Gareth Jones and Matthias Williams)

Sign up for Jim Bakker Show