Bleeping Computer was told today that Ukrainian Police seized the servers from where the NotPetya ransomware outbreak first started to spread.
The servers belonged to Intellect Service, a Ukrainian company that sells accounting software under the names of IS-pro and M.E.Doc. A former Intellect Service employee confirmed the raid to Bleeping Computer today. Similar reports were also published today in local media, BBC, and Reuters, citing a high-ranking source in Ukrainian police. Local police acknowledged the raids a day later on July 5, in an update on its site. Later it also published a video from the raid, which you can view above.
The group behind NotPetya compromised the company's servers and pushed malicious updates for the company's M.E.Doc software, which in turn installed the NotPetya ransomware.
The NotPetya group obviously miscalculated the ransomware's self-spreading component, and just like WannaCry last month, NotPetya spread uncontrollably to tens of countries around the globe.
While Intellect Service denied any wrongdoing, Microsoft, Bitdefender, Kaspersky, Cisco, and ESET have gone on record saying the M.E.Doc update servers were responsible for the initial NotPetya infections.
Evidence suggests that the servers were compromised many times in the past. Security researchers have seen M.E.Doc's servers spewing ransomware as early as May, and so did M.E.Doc's own users, who complained about infections on the company's forum. Ukrainian press also reported on incidents of compromised M.E.Doc servers in May, a month before NotPetya.
Bleeping Computer has reported on three ransomware campaigns that spread through the M.E.Doc servers: XData, NotPetya, and an unnamed WannaCry clone. All of these were configured to target Ukraine, and Ukraine alone.
Through all incidents, Intellect Service denied all accusations that its servers were hacked, over and over again. However, after days of constant denial, last week on Thursday, the company took a radical turn when it announced it would be collaborating with Cisco and local police to investigate the incident, half-heartedly admitting something might have happened.
Also last Thursday, the Ukrainian Secret Service (SBU) announced it was partnering with the FBI, Europol, and UK's NCA to investigate the NotPetya outbreak.
News about the raids came today from Ukrainian media. Yesterday, the Assocciated Press quoted a high-ranking Ukrainian official who hinted they might investigate the Ukrainian software company for their actions.
"They knew about it," Col. Serhiy Demydiuk, the head of Ukraine’s national Cyberpolice unit, said about Intellect Service and its past security incidents. "They were told many times by various anti-virus firms. For this neglect, the people in this case will face criminal responsibility."
Today, in a Reuters article, the company's founders denied any intentional wrongdoing once more.
Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc's web host, Wnet, a company that has been accused of having ties to Russia's intelligence service (FSB).
An investigation into the man's accusations revealed that the SBU had raided the web host on June 1, for "illegal traffic routing to Crimea in favor of Russian special services."
Despite the heavy-handed accusations slung by the SBU, in reality, Wnet had merely interconnected Internet traffic routes through Crimea after Ukraine's government ordered ISPs to cut off any ties with the former Ukrainian territory, now under Russia's jurisdiction.
Following the incident, the web host company released a statement titled "Wnet - traitors or patriots?" to clear its name and dispel any rumors of pro-Russian views.
Despite some wild conspiracy theory, there is tons of tangible evidence that M.E.Doc's servers were behind the infection, including internal telemetry data from both Microsoft and Bitdefender.
An ESET report released today even includes visual evidence, an image of a PHP backdoor (medoc_online.php) found on the company's update server during past incidents.
Furthermore, an analysis of the server during the NotPetya outbreak revealed glaring security vulnerabilities.
For example, the update server was running proftpd v1.3.4c, an older version for which publicly known remote code execution exploits exist, along with step-by-step tutorials, easy discoverable via a Google search.
On top of this, M.E.Doc's server also ran outdated versions of Nginx and OpenSSH, information that at one point was shared by Ukraine's cyber police Twitter account in the midst of the NotPetya outbreak, before being deleted.
Intellect Service can claim it did not intentionally participate in NotPetya's distribution, but that doesn't excuse its poor efforts in securing its update server, or for that matter the M.E.Doc software update mechanism, which didn't use HTTPS or cryptographically-signed binaries.
Article updated on July 5 with link to official statement from Ukrainian police and YouTube video.