‘Attackers behind Petya-virus were already three months in infected systems’
The cyberaanvallers that recently companies in Ukraine and several other countries attacked with the Petya-virus, already had three months of access to the affected systems.
That sets cybersecurityfirma ESET Tuesday after the analysis of the attack, which went through the Ukrainian accounting software MeDoc.
Already in april an official update for the MeDoc released, in which the ‘backdoor’ of the attackers was hidden. Since that time, they could include stealing passwords or control of computers over, say researchers from ESET. It is not clear whether there is actually information is captured for the Petya-attack.
Interestingly enough, arrived between april and June also eleven updates for MeDoc from the backdoor is not contain. In three updates, including the most recent on 22 June, was the backdoor is present.
The fact that the attackers are no separate auditing server to use to communicate with infected systems. Instead, information was sent along with regular checks for new updates of MeDoc.
For affected companies, the new discovery extra care mean, think director Dave Maas from ESET Netherlands.
“The danger is that the attackers in the three months virtually have complete access and passwords have been stolen,” he says. “The attack is not finished with the restore of systems and the updating of the MeDoc.”
Monday said the head of the cyberafdeling of the Ukrainian police already that the company behind MeDoc was aware of security issues. Warnings about this could, however, be ignored.
In an interview with Reuters say the two creators of MeDoc, a Ukrainian father and daughter, that their software was not responsible for the cyber attack. According to the two, there is no proof that a MeDoc-updates malicious software is included. Security experts from various companies there, however, evidence has been found.
The attack with the Petya-virus hit companies especially in Ukraine, but also abroad. Also active in Rotterdam port authority and APM Terminals and parcel delivery company TNT Express were affected. According to ESET, the TeleBots-group of earlier attacks carried out in Ukraine. That country, Russia has accused of the attack, but there is still no conclusive evidence presented.
TNT said Tuesday that progress is being made in resolving the cyber attack. A spokesman states that national and regional services of TNT are largely operational again, but that there are still delays.