The Ukrainian software firm used as part of last week’s global cyber attack warned on Wednesday that all computers sharing a network with its infected accounting software had been compromised by hackers.
The attack used a virus, dubbed “NotPetya” by some experts, to take down thousands of computers in dozens of countries, disrupting shipping and businesses. Investigators now say the hack may be far more nefarious than previously thought.
A top official in the Ukrainian Presidential Administration said it remained unclear how many computers had been compromised and the state security service was trying to establish what the hackers would do with data stolen during the attack.
A video released by Ukrainian police showed masked men in combat fatigues and armed with assault rifles raiding the offices of software developer Intellect Service late on Tuesday, after cyber security researchers said they had found a “backdoor” written into some of the updates issued by its M.E. Doc accounting software.
Get Data Sheet, Fortune’s technology newsletter.
M.E. Doc is used by 80% of Ukrainian companies and installed on around 1 million computers in the country. Interior Minister Arsen Avakov said police had blocked a second cyber attack from servers hosting the software.
The company previously denied its servers had been compromised, but when asked on Wednesday whether a backdoor had been inserted, chief executive Olesya Bilousova said: “Yes there was. And the fact is that this backdoor needs to be closed.”
Any computer on the same network as machines using M.E.Doc was now vulnerable to another attack, she said.
“As of today, every computer which is on the same local network as our product is a threat. We need to pay the most attention to those computers which weren’t affected (by last week’s attack),” she told reporters.
“The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”
Dmytro Shymkiv, deputy head of Ukraine’s presidential administration and a former director of Microsoft in Ukraine, said the latest evidence further pointed to an advanced and well-orchestrated attack.
“I am looking through the analysis that has been done on the M.E.Doc server, and from what I’m seeing, that’s worrying. Worrying is a very light word for this,” he said. “How many backdoors are still open? We don’t know.”
He also said M.E.Doc’s servers had not been updated since 2013, providing some indication as to how the hackers were able to access the system.
Intellect Service said Shymkiv’s comments referred to a disk used to store M.E.Doc’s software updates.
Smokescreen
Cyber security experts said that while hackers have previously been known to insert viruses into software updates—thus tricking computers and system administrators into installing the malware on their own systems—the attack on Ukraine is the largest and most disruptive such assault to date.
“We are in a new phase of cyber security and the way that sophisticated actors behave,” said Leo Taddeo, a former FBI cyber investigator and executive with cyber-security firm Cyxtera Technologies. “I can’t think of a supply chain attack that has been this thorough.”
Investigators are still trying to establish who was behind last week’s attack. Ukrainian politicians were quick to blame Russia, which denied it.
Technology news site Motherboard reported late on Wednesday that people claiming to be behind the attack had posted a message online offering to unlock all encrypted files for a bitcoin payment of $256,000. Reuters was unable to confirm the report.
Shymkiv said the assault was designed to look like a ransomware attack in order to disguise its true objective.
“Initially everybody thought, including me, that it was just an attack with a virus,” he said. “It was not an attack with a virus, it was opening a backdoor, which was a hack of the computer networks on a broad scale and then eliminating the results with a virus.”
“It’s like a robber, you get to the house, you steal everything, and then you burn it.”
