The Ukrainian software firm at the center of last week’s global cyber attack warned on Wednesday that all computers sharing a network with its infected accounting software had been compromised by hackers.
The attack used a virus, dubbed “NotPetya” by some experts, to take down thousands of computers in dozens of countries, disrupting shipping and even shutting down a chocolate factory in Australia.
Late on Tuesday, Ukrainian police seized servers at the office of developer Intellect Service after cyber security researchers said they had found a “backdoor” written into some of the updates issued by its M.E. Doc accounting software.
M.E. Doc is used by 80 percent of Ukrainian companies and installed on around 1 million computers in the country. Interior Minister Arsen Avakov said earlier on Wednesday police had blocked a second cyber attack from servers hosting the software.
Intellect Service previously denied its servers had been compromised, but when asked on Wednesday whether a backdoor had been inserted, Chief Executive Olesya Bilousova said: “Yes there was. And the fact is that this backdoor needs to be closed.”
She said any computer on the same network as machines using M.E.Doc was now vulnerable to another attack.
“As of today, every computer which is on the same local network as our product is a threat. We need to pay the most attention to those computers which weren’t affected (by last week’s attack),” she told reporters.
“The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”
Investigators are still trying to establish who was behind last week’s attack. Ukrainian politicians were quick to blame Russia for a state-sponsored hack, a charge Moscow denies, while Ukrainian cyber police and some experts say the attack was likely a smokescreen used by the hackers to install new malware.
Police have advised businesses to stop using M.E.Doc and turn off every computer running the software.
ESET senior malware researcher Anton Cherepanov, who first discovered the M.E.Doc backdoor, said computers using the program would be at risk until a further update was issued.
But as the company’s servers were currently offline, he said, hackers could not currently access the compromised machines.
“The backdoor is using official M.E.Doc servers as a command and control server. Since these servers are offline, the attackers can’t control backdoored machines anymore,” he said in written comments to Reuters.
(Additional reporting by Pavel Polityuk; Editing by Matthias Williams and Raissa Kasolowsky)