The primary target of a crippling computer virus that spread from Ukraine across the world this week is highly likely to have been that country’s computer infrastructure, a top Ukrainian police official told Reuters on Thursday.
Cyber security firms are trying to piece together who was behind the computer worm, dubbed NotPetya by some experts, which has paralyzed thousands of machines worldwide, shutting down ports, factories and offices as it spread through internal organizational networks to an estimated 60 countries.
Ukrainian politicians were quick on Tuesday to blame Russia, but a Kremlin spokesman dismissed “unfounded blanket accusations.” Kiev has accused Moscow of two previous cyber strikes on the Ukrainian power grid and other attacks since Russia annexed Crimea in 2014.
A growing consensus among security researchers, armed with technical evidence, suggests the main purpose of the attack was to install new malware on computers at government and commercial organizations in Ukraine. Rather than extortion, the goal may be to plant the seeds of future sabotage, experts said.
International firms appear to have been hit through their operations in the country.
Get Data Sheet, Fortune’s technology newsletter.
Slovakian security software firm ESET released statistics on Thursday showing 75% of the infections detected among its global customer base were in Ukraine, and that all of the top 10 countries hit were located in central, eastern or southern Europe.
Arne Schoenbohm, president of BSI, Germany’s federal cyber security agency, told Reuters in an interview on Thursday that most of the damage from the attack had hit Ukraine, and Russia to a lesser extent, with only a few dozen German firms affected.
“In all of the known cases, the companies were first infected through a Ukrainian subsidiary,” the German official said.
Smokescreen
Ukraine’s cyber police said in a statement on Thursday morning that it had received 1,500 requests for help from individuals and companies in connection with the virus.
The malicious code in the new virus encrypted data on computers and demanded victims pay a $300 ransom, similar to the extortion tactic used in a global WannaCry ransomware attack in May.
A top Ukrainian police official told Reuters that the extortion demands were likely a smokescreen, echoing working hypotheses from top cyber security firms, who consider NotPetya a “wiper,” or tool for destroying data and wiping hard disks clean, that is disguised as ransomware.
“Since the virus was modified to encrypt all data and make decryption impossible, the likelihood of it being done to install new malware is high,” the official, who declined to be identified, wrote in a phone text message to Reuters.
Information Systems Security Partners (ISSP), a Kiev-based cyber research firm that has investigated previous cyber attacks against Ukraine, is pursuing the same line of inquiry.
ISSP said that given that few people actually paid the $300 demanded for removing the virus, money was unlikely to be the primary object of the attack.
“It’s highly likely that during this attack new attacks were set up,” said ISSP chairman Oleg Derevianko.
“At almost all organizations whose network domains were infected, not all computers went offline,” he said by phone. “Why didn’t they all go offline? We are trying to understand what they might have left on those machines that weren’t hit.”
Ukraine’s National Security and Defence Council Secretary Oleksandr Turchynov said the virus was first and foremost spread through an update issued by an accounting services and business management software.
“Also involved was the hosting service of an internet provider, which the SBU (Ukraine’s state security service) has already questioned about cooperation with Russian intelligence agencies,” he said, according to a statement.
Destructive Intent
Technical experts familiar with the recent history of the cyber escalation between Russia and Ukraine, say these latest attacks are part of the wider political and military conflict, although no “smoking gun” has been found to identify the culprits.
John Hultquist, a cyber intelligence analyst with FireEye, said the failed ransomware attack disguises an as yet unseen destructive motive. “If it were an attack masquerading as crime, that would not be unprecedented at all,” Hultquist said.
Some cyber security researchers have said the fact that the Kremlin’s two flagship energy companies are victims of the attack could suggest Moscow was not behind it.
Russian oil major Rosneft was one of the first companies to reveal it had been compromised by the virus and sources told Reuters on Thursday computers at state gas giant Gazprom had also been infected.
For technical reasons, NotPetya appears to be more targeted than last month’s global ransomware attack, known as WannaCry. When first infected by WannaCry, computers scanned the internet globally for other vulnerable machines.
By contrast, NotPetya does not randomly scan the Internet to find new computers to infect. It only spreads itself inside organizational networks, taking advantage of a variety of legitimate network administration tools.
This makes it far harder for anti-virus software or network security technicians to detect. It also gives it the capacity to infect other Windows computers, even those with the latest security patches, several security firms warned on Thursday.
“Petya is proving to be more sophisticated than WannaCry in terms of scope, ability to be neutralized, and apparently, the motivation behind its launch,” corporate security consulting firm Kroll has advised its clients.
This Ukrainian Company Is Likely Behind the Ransomware Wave
So far, NotPetya appears only to have been distributed inside Ukraine via a handful of so-called “watering-hole attacks” – by piggy-backing on the software updating feature of a popular national tax accounting program known as MEDoc.
Kaspersky, a global cyber security firm based in Russia, also said they found a second distribution point on a local news site in the city of Bakhmut, Ukraine, which infected visitors who clicked on the site with the ransomware-like attack.
“Our analysis indicates the main purpose of the attack was not financial gain, but widespread destruction,” said Costin Raiu, Kaspersky’s global head of research. “NotPetya ..combined elements of a targeted watering hole attack we’ve traditionally seen used by nation states with traditional software exploitation to devastate a specific user base,” Lesley Carhart, a Chicago-based security researcher, wrote in a blog widely shared online by top security experts.
