Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows

KIEV, Ukraine — The day started like most for Roman N. Klimenko, an accountant in Kiev who had just settled in at his desk, typing at a computer keyboard and drinking coffee. He was unaware that concealed within his tax preparation software lurked a ticking bomb.

That bomb soon exploded, destroying his financial data and quickly spreading through computer systems vital to Ukraine’s government — and beyond. The cyberattack, on Tuesday, was caused by a virus similar to one that wreaked global havoc less than two months ago.

Both had the appearance of hacker blackmail assaults known as ransomware attacks: screens of infected computers warn users their data will be destroyed unless ransoms are paid.

But in Ukraine’s case, a more sinister motive — paralysis of the country’s vital computer systems — may have been at work, cybersecurity experts said on Wednesday. And many Ukrainians cast their suspicions on Russia.

Cybersecurity experts based their reasoning partly on having identified the group of Ukrainian users who were initially and improbably targeted: tax accountants.

All are required by law to use a tax preparation software such as that made by a Ukrainian company, M.E.Doc. The software that runs on Microsoft Windows-based computers was recently updated. Microsoft issued a statement on Wednesday saying it “now has evidence that a few active infections of the ransomware initially started from the legitimate M.E.Doc updater process.”

Cybersecurity experts said that whoever launched the assault — on the eve of a holiday celebrating Ukrainian independence — must have known that M.E.Doc software, which is integrated into Ukrainian government computers, was their gateway.

“You don’t hit the day before Constitution Day for no reason,” said Craig Williams, the senior technical researcher with the Talos division of Cisco, the American technology company, which helped pinpoint the origin of the Tuesday attack.

Brian Lord, a former deputy director for intelligence and computer operations at Britain’s Government Communications Headquarters, the country’s equivalent to the National Security Agency, said, “This isn’t about the money.”

“This attack is about disabling how large companies and governments can operate,” he added. “You get a double whammy of the initial cyberattack and then organizations being forced to shut down their operations.”

For Mr. Klimenko, the software update seemed to go fine — until hours later. “The screen became red,” he said in an interview. “A warning appeared, and everything on the hard drive was scrambled.”