Skip to main content

Ukranian company that spread Petya could face criminal charges for vulnerability

Ukranian company that spread Petya could face criminal charges for vulnerability


The hack was easier than we thought

Share this story

Illustration by Alex Castro / The Verge

Last week’s globe-spanning ransomware outbreak may have started with a remarkably simple attack. This morning, independent security analyst Jonathan Nichols discovered an alarming vulnerability in the update servers for Ukrainian software company MeDoc, one of the companies at the center of the attack.

Researchers believe that many of the initial Petya infections were the result of a poisoned update from MeDoc, which sent out malware disguised as a software update. But according to Nichols’ research, sending out that poisoned update may have been a relatively simple task, thanks to underlying weaknesses in the company’s security.

“It's very possible that anyone could have done it”

Scanning the company’s infrastructure, Nichols found that MeDoc’s central update servers was running outdated FTP software with a outstanding vulnerability that is easily exploited by publicly available software. It’s a serious security issue, and could have let nearly anyone spread poisoned updates through the system. It’s unclear if that particular vulnerability was used by the Petya attackers — or if it was exploitable at all — but the presence of such outdated software indicates there may have been several ways into the system.

“It's very possible that anyone could have done it,” Nichols said, although he acknowledged he hadn’t tried to exploit the vulnerability for fear of committing a crime. “One would have to hack the server to be 100 percent confident.”

Ukrainian authorities have already threatened MeDoc with criminal charges for ignoring those vulnerabilities. In an interview with the Associated Press, head of Ukrainian Cyberpolice chief Col. Serhiy Demydiuk said the company had been warned several times about lax security practices, primarily by private-sector firms. “They knew about it,” Demydiuk told the AP in an interview. “They were told many times by various anti-virus firms ... for this neglect, the people in this case will face criminal responsibility.”

It’s hard to say whether this sheds any light on the group behind the attack, although with such glaring vulnerabilities, the attack may have been simple enough for common criminals to pull off. But in the days since the attack, more research firms have linked the attack to Russia, with an ESET report on Friday tying the attack to the Dark Energy group that took down a Ukrainian power plant in 2015. On Sunday, a separate NATO-backed research firm officially attributed Petya to a nation-state actor, and argued the attack was sufficient to trigger a response from NATO member states.