Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows

 
A closed bank branch in Kiev, Ukraine, on Tuesday. Software by the Ukrainian company M.E.Doc, which appeared to be exploited in a cyberattack, is widely installed at government agencies and banks. Credit Sergei Supinsky/Agence France-Presse — Getty Images 
 

KIEV, Ukraine — The day started like most for Roman N. Klimenko, an accountant in Kiev who had just settled in at his desk, typing at a computer keyboard and drinking coffee. He was unaware that concealed within his tax preparation software lurked a ticking bomb.

That bomb soon exploded, destroying his financial data and quickly spreading through computer systems vital to Ukraine’s government — and beyond. The cyberattack, on Tuesday, was caused by a virus similar to

one that wreaked global havoc less than two months ago.

Both had the appearance of hacker blackmail assaults known as ransomware attacks: screens of infected computers warn users their data will be destroyed unless ransoms are paid.

But in Ukraine’s case, a more sinister motive — paralysis of the country’s vital computer systems — may have been at work, cybersecurity experts said on Wednesday. And many Ukrainians cast their suspicions on Russia.

Cybersecurity experts based their reasoning partly on having identified the group of Ukrainian users who were initially and improbably targeted: tax accountants.

All are required by law to use a tax preparation software such as that made by a Ukrainian company, M.E.Doc. The software that runs on Microsoft Windows-based computers was recently updated. Microsoft issued a statement on Wednesday saying it “now has evidence that a few active infections of the ransomware initially started from the legitimate M.E.Doc updater process.”

Cybersecurity experts said that whoever launched the assault — on the eve of a holiday celebrating Ukrainian independence — must have known that M.E.Doc software, which is integrated into Ukrainian government computers, was their gateway.

“You don’t hit the day before Constitution Day for no reason,” said Craig Williams, the senior technical researcher with the Talos division of Cisco, the American technology company, which helped pinpoint the origin of the Tuesday attack.

Brian Lord, a former deputy director for intelligence and computer operations at Britain’s Government Communications Headquarters, the country’s equivalent to the National Security Agency, said, “This isn’t about the money.”

“This attack is about disabling how large companies and governments can operate,” he added. “You get a double whammy of the initial cyberattack and then organizations being forced to shut down their operations.”

For Mr. Klimenko, the software update seemed to go fine — until hours later. “The screen became red,” he said in an interview. “A warning appeared, and everything on the hard drive was scrambled.”

Mr. Klimenko quickly realized he had lost all past-year filings, a catastrophe for an accountant. “Now I cannot confirm that I filed,” he said. “Honestly, I don’t understand what happened.”

Yet to be determined is the source of the virus. But Russia was seen as the prime suspect because it has been engaged in overt and covert warfare with Ukraine since the 2014 revolution that deposed a Kremlin-friendly government. A Russian role has yet to be proven and may never be. Nevertheless, analysts said on Wednesday that if the attackers’ object was to sow chaos at the highest levels in Ukraine, M.E.Doc provided an ideal way. Its software is not only widely installed at government agencies and banks, but is mandatory at many Ukrainian businesses and government agencies.

M.E.Doc said in a statement that it could not confirm whether the virus had been distributed through the update, but that it was “cooperating with Ukraine’s cyberpolice on the investigation.”

In another indication that Ukraine was a prime target, the national police said on Wednesday that more than 1,500 companies had filed complaints or appealed for help because of computer intrusions. That was far more than in other countries, although Russia seemed to be the second-most widely affected.

While analysts remained cautious about assigning blame, there was little reticence in official circles in Ukraine, particularly as it became clear that the country was the primary target. The timing was an especially clear sign of political intent, they said.

Adding to their suspicions, just a few hours before the computer strike, a Ukrainian military intelligence officer, Maksim Shapoval, was killed by a car bomb in Kiev. It was the latest in a string of assassinations of opponents and critics of Russia in the Ukrainian capital.

“War in cyberspace, seeding fear and horror among millions of personal computer users, and inflicting direct material damage from destabilizing the work of businesses and the state, is just one part of the hybrid war of the Russian empire against Ukraine,” Anton Gerashenko, a member of Parliament, wrote on Facebook. The assassination of Mr. Shapoval is another, he wrote. Mr. Gerashenko called the spread of the virus the “most massive computer attack in the history of Ukraine.” He said it was only “masked as an effort to extort money from computer users,” with the real goal economic disruption.

In this view, what began as a strike at Ukraine later and perhaps inadvertently spread to other countries merely as collateral damage.

The timing of the attack was suspect in another way, coming after a rare stretch of upbeat news in Ukraine. Last week, the European Union waived visa requirements for Ukrainians, at least those few fortunate enough to have the means to travel. That was a euphoric moment for many Ukrainians, some of whom could be seen celebrating with raised fists after gliding through immigration lanes in European airports.

President Petro O. Poroshenko met in Washington with President Trump, undermining what politicians here say is an overarching Russian goal of weakening Ukraine by highlighting the incompetence and corruption of the government.

The attack also comes in the context of a long-running trade war between Russia and Ukraine, on the sidelines of the actual shooting war in eastern Ukraine between the government and Russian-backed separatists.

In recent months, the authorities in Kiev have banned Russian software imports and blocked coal shipments from areas under rebel control. The coal embargo cut off a vital financial lifeline in the east, forcing Russia to take some of the coal.

The police have established a computer headquarters with the domestic intelligence agency, the S.B.U., and Cisco to analyze the attack in hopes of tying it to Russia. Though cybersecurity experts have not linked the malware to any particular state or criminal group, a Russian computer attack targeting Ukraine’s economy would be consistent with the recent economic skirmishing, analysts say.

“If you look at Ukrainian cyberspace, M.E.Doc is an excellent carrier for a virus,” Ivan Lozowy, director of the Institute of Statehood and Democracy, said in a telephone interview. The software is used by businesses large and small, and it can transmit a virus to government computers, where it is designed to file returns. “The Russians are interested in Ukraine having as many problems as possible,” he said.