Ukraine's national cybercrime unit seized servers belonging to a small company at the centre of a global outbreak of malicious software after "new activity" was detected there, the service said in a statement early on Wednesday (5 July).
The announcement raised the possibility that the hackers behind last week's wide-ranging cyberattack were still seeking to sow chaos.
Tax software firm M.E. Doc was raided to "immediately stop the uncontrolled proliferation" of malware. In a series of messages, Cyberpolice spokeswoman Yulia Kvitko suggested that M.E. Doc had sent or was preparing to send a new update and added that swift action had prevented any further damage.
"Our experts stopped [it] on time," she said.
It wasn't immediately clear how or why hackers might still have access to M.E. Doc's servers.
The company has been the focus of intense attention from authorities and cybersecurity researchers since it was identified as the patient zero of the outbreak, which crippled computers at several multinational firms and knocked out cash machines, petrol stations and bank branches in Ukraine.
The company has not returned messages from The Associated Press, but in several statements posted to Facebook it disputed allegations that its poor security helped seed the malware epidemic.
Adding to the intrigue, the bitcoin wallet linked to the hackers who masterminded the outbreak was emptied around the same time as the police announcement.
Kaspersky Lab researcher Aleks Gostev said on Twitter that some of the digital currency had been sent to text storage sites, hinting at the prospect of some kind of a forthcoming statement.
Meanwhile, Ukrainian officials were just beginning to count the costs of the outbreak.
Infrastructure Minister Volodymyr Omelyan told AP his department had incurred "millions" in costs, with hundreds of workstations and two of its six servers knocked out.
Col. Serhiy Demydiuk, the head of Ukraine's national Cyberpolice unit, said that Kiev-based M.E. Doc's employees had blown off repeated warnings about the security of their information technology infrastructure.
"They knew about it," he told the AP at his office. "They were told many times by various anti-virus firms. [...] For this neglect, the people in this case will face criminal responsibility."
Demydiuk and other officials say last week's unusually disruptive cyberattack was mainly spread through a malicious update to M.E. Doc's eponymous tax software program, which is widely used by accountants and businesses across Ukraine.
The malicious update, likely planted on M.E. Doc's update server by a hacker, was then disseminated across the country before exploding into an epidemic of data-scrambling software that Ukrainian and several other multinational firms are still recovering from.
M.E. Doc has given various explanations for its role in the outbreak. It initially acknowledged having been hacked, but then deleted the statement . It then called allegations it had seeded the outbreak "clearly erroneous" but later said it was cooperating with authorities.
Meanwhile, several companies hit by last week's cyberattack say they are edging toward normalcy.
Law firm DLA Piper said late Sunday that it has restored its email service and was working to bring its other networks back online. Danish shipper A.P. Moller-Maersk said Monday it was "getting closer to full speed" and that all but one cargo terminal was back in action.
Russian companies were reportedly affected as well; Russian state-owned oil giant Rosneft said Monday it had taken the company six days to fully repair its computer systems after they were badly hit in the cyberattack.
Ukrainian authorities have blamed Russia for masterminding the outbreak, although several independent experts say it's too early, based on what's publicly known, to come to any firm conclusions.
Ukraine has repeatedly come under fire from high-powered cyberattacks tied to Moscow.
The extent of the damage and disruption in Ukraine was still unclear Monday. Authorities have yet to release an account of the number of victims or guess at the cost inflicted by the malware. Demydiuk said his service was still collating figures and declined to even provide estimates.
It's clear, though, that the economic disruption has not been negligible. Some bank employees have not been to work in days. At Kiev's Boryspil Airport, senior official Yevhenii Dykhne told the AP that about a third of computers, mainly those devoted to back-office work such as procurement, were still offline.
Hanna Rybalka, who works at the state-owned Oschadbank's headquarters in Kiev, said that business had taken nearly a week to recover.
"Today is the first day of full-time work," she said in a Facebook message Monday.