A cyberattack that started in Ukraine before rippling across Europe on Tuesday had security experts racing to understand the intent of the latest computer virus to spook global Internet users.
The so-called Petya virus bore some resemblance to a growing wave of international ransomware attacks because it locked computers and demanded a payment to restore access.
Ukraine suffered the worst of it, with the virus hitting the country’s power grid, its largest airport, several big banks and computers in many government offices. Social media posts described problems at retail stores and small businesses.
The Ministry of Internal Affairs urged people across the country to turn off their computers to prevent the virus from spreading.
Government officials were already on edge after a car bombing that killed an army colonel earlier in the day. They believed the cyberattack was an attempt to throw the country into disarray as it moves into the fourth year of a conflict with Russia.
"It was a cyberattack with the ultimate goal of attempting to destabilize the situation in the economy and public consciousness of Ukraine,” Anton Gerashchenko, an advisor to Ukrainian Interior Minister Arsen Avakov, said in a statement on Facebook. “Today's cyberattack, the largest in the history of Ukraine, is not the last. There will be others.”
When the virus emerged late Tuesday morning, it triggered fears among security officials that it might be a more vicious form of the “WannaCry” ransomware virus that struck more than 300,000 computers last month. As WannaCry did, Petya exploits a flaw in the Windows operating system that millions of users have still not patched.
But by the end of the day, Kaspersky Lab, a Moscow-based security company, was reporting that Petya had probably hit only about 2,000 computers, with Ukraine followed by Russia as the biggest victims.
For companies that were hit, the effects were tremendous. In a statement to French media, a spokesman for Saint-Gobain, a multinational corporation, said that its systems had been infected and that the company was forced to shut down parts of its information technology infrastructure to prevent further damage.
Several major corporations confirmed they had been affected but did not offer many details.
Britain’s WPP, one of the world's largest advertising agencies, confirmed on Twitter that "IT systems in several WPP companies have been affected" and later said "everything is being done to return to normal operations as quickly as possible." A subsidiary of Danish shipping corporation Maersk reported that 17 of its shipping container terminals around the world had been hacked. And German broadcaster NDR reported that Beiersdorf, the maker of Nivea skin care products, was affected and that computer and phone systems at the company’s Hamburg headquarters were down.
In the U.S., pharmaceutical giant Merck reported it "was compromised today as part of global hack" and was investigating the extent of the effect. Law firm DLA Piper also confirmed that it was a victim of the virus. Politico posted a picture of a white board in the lobby of DLA's Washington, D.C., office warning employees not to turn on their computers.
By late afternoon, several cybersecurity researchers said they had traced the virus back to accounting software made by Ukrainian firm M.E. Doc, though the company disputed it was responsible. The theory was that someone had tucked the virus in a recent update that was pushed out by the company.
“Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc,” according to statement on technology company Cisco’s security blog.
In a statement on Facebook, M.E. Doc executives denied the accusations, saying they had reviewed the code and found no signs of a virus.
“The M.E. Doc development team refutes this information and states that such conclusions are unambiguously erroneous, as the developer M.E. Doc, as the responsible software vendor, monitors the security and purity of its own code,” the company wrote.
Whatever the case, Ukrainian officials said the virus was in place in numerous systems with code that set it to activate at 11 a.m. on June 27, one day before Constitution Day, a national holiday.
The Petya virus’ reach appeared to be more limited than that of WannaCry because of its basic mechanism for spreading.
WannaCry sought to spread itself across the internet to reach as many computer networks as possible. Petya, by contrast, tried to infect as many computers as possible inside a network once it gained access. It looked for users’ credentials to access greater parts of a system. Although fewer systems may have been hit, the ones that Petya managed to infiltrate were nearly defenseless once the virus slipped in and rampaged across the internal networks.
Travis Farral, director of security strategy at cybersecurity firm Anomali, said he was concerned that whoever created Petya seemed to have found a new twist to spread a virus within systems even if they had patched the security flaw. At the same time, the virus seemed more focused on destruction rather than any actual blackmail scheme.
“That kind of ups the ante,” he said. “There is not a kill switch like there was with WannaCry. And the whole idea that it can spread to other parts of a system that have been patched … that’s something that’s going to scare a lot of people.”
The result of this cunning design was the kind of havoc on display across Ukraine.
In Kiev, the capital, the government reported disruptions including in the country’s power grid and computers in many government offices. Ukraine’s largest airport, in Boryspil, also reported an attack, delaying some flights. Ukraine’s central bank said several banks had been hit, as well as the metro transit system’s payment network in Kiev.
Deputy Prime Minister Pavlo Rozenko posted a photo on his Facebook account of his computer screen with the warning message.
Prime Minister Volodymyr Groysman posted on his Facebook page that the attack was “unprecedented” and said the country’s cyberwarfare specialists were working to counter the attack.
Rosneft, Russia’s largest oil production company, said it also was attacked, although it was unclear whether it was the same virus. The company said in a statement that there had been "a powerful hacker attack" on its server, but that the company’s production had not been affected. The company’s website was not working Tuesday evening.
By late Tuesday, Ukrainian officials said they hoped to have the damaged systems repaired within a few days. Gerashchenko said it could have been much worse for the beleaguered Eastern European country.
"The harm from this cyberattack will be significant, but not catastrophic," he said. "Our state is not so much penetrated by computer systems as Europe, the United States and other economically developed countries."
Special correspondents O’Brien reported from Toulouse, France, and Ayres from Moscow. Special correspondent Catherine Stupp in Brussels and Erik Kirschbaum in Berlin contributed to this report.
7:07 p.m.: This article has been updated throughout with additional statements and details.
11:50 a.m.: This article has been updated with information from Western Europe and additional comments on Ukraine.
This article was originally published at 10:10 a.m.