NotPetya: Accounting software firm whose update mechanism was compromised to spread malware may face criminal charges

Ukraine's ME.Doc was running vulnerable, out-of-date FTP software to update clients' software

ME Doc, the Ukrainian accounting software company whose update mechanism was compromised and used to spread the NotPetya malware, may face criminal charges for negligence.

In an interview with Associated Press, Serhiy Demydiuk, the head of Ukraine's national Cyberpolice unit, claimed that the company had repeatedly ignored warnings from both employees and security specialists that its IT infrastructure was insecure.

"They knew about it," Demydiuk told AP. "They were told many times by various anti-virus firms... For this neglect, the people in this case will face criminal responsibility."

ME Doc employees had also warned company managers about insecurities in the company's infrastructure, but had been ignored, Demydiuk added.

The vulnerabilities in the company's FTP-based updating mechanism was identified by security analyst Jonathan Nichols, who used the Shodan search engine, which can uncover data on devices connected to the internet. In a blog posting, Nichols claimed that compromising ME Doc with NotPetya was "so easy, anyone could do it".

The company's response to the attack has also been criticised for inconsistency, first issuing a response admitting responsibility, before retracting it and describing reports pointing the finger of blame at the company as "clearly erroneous". It later admitted that it was cooperating with the Ukrainian authorities.

In a statement, the company said that it had contacted law enforcement in Ukraine to help "search for the source of the attack, find out its mechanisms and determine the steps to be taken to eliminate the consequences".

It also called in security specialists from networking giant Cisco to conduct an internal investigation, including cyber forensics.

While the malware most affected organisations in Ukraine, outside of the country law firm DLA Piper and Danish shipping giant AP Moller-Maersk were among the companies affected by NotPetya.

It nevertheless did not infect as many organisations or PCs as May's WannaCry ransomware outbreak, despite the use of US National Security Agency (NSA) exploits intended to make it self-propagating.

Ukraine has pointed the finger of blame at neighbouring Russia for the outbreak.

The country's authorities claim that it has come under repeated cyber attack from its larger neighbour since a pro-Russian president was kicked out of office following protests. Russia also seized Ukraine's Crimea region in March 2014 and is supporting separatist rebels in eastern Ukraine.