MeDoc, a little-known Ukrainian firm, is likely the primary source for the global ransomware attack that tore through corporate networks on Tuesday, according to cybersecurity researchers.
MeDoc is a financial tech company that makes accounting software to help people and businesses process taxes. Security researchers said that hackers seemed to have breached the company’s computer systems and compromised a software update that was pushed to its customers on June 22.
(The company did not immediately respond to Fortune’s request for comment.)
Get Data Sheet, Fortune’s technology newsletter.
After landing on victims’ machines, the malicious software then spread stealthily across networks through a vulnerability in Microsoft Windows, which Microsoft (msft) released patches for in March. Companies that did not apply the patch—sealing a hole exploited by a leaked hacking tool associated with the U.S. National Security Agency—were vulnerable.
Additionally, the malware spread by harvesting usernames and passwords from infected computers. Should one of these computers happen to have had administrative privileges, that login information could be used that to take over other machines on the network managed under the same credentials.
The timing and initial target of the attack, MeDoc, is sure to provoke speculation that an adversary of Ukraine might be to blame. The ransomware hid undetected for five days before being triggered a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.
“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s (csco) Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware.”
“It’s very clear that whoever was behind this would somehow benefit from causing significant amount of negative business impact on Constitution Day,” Williams added.
Obvious candidates come to mind—including Moscow or pro-Russian hackers, for example—though it is still too early to begin pointing fingers in terms of attribution. More details are sure to come to light in coming days as security researchers continue digging into the attack code and search for its perpetrators.
Williams added that his team has found no other initial vector than MeDoc as yet. Researchers at Kaspersky Labs, a Russian antivirus firm, also noted the link to MeDoc in its write-up of the incident, as did several other researchers.