KIEV (NYTIMES) - The day started like most for Roman N. Klimenko, an accountant in Kiev who had just settled in at his desk, typing at a computer keyboard and drinking coffee. He was unaware that concealed within his tax preparation software lurked a cyberbomb.
That bomb soon exploded, destroying his financial data and quickly spreading through computer systems vital to Ukraine's government - and beyond. The cyber attack, on Tuesday, was caused by a virus similar to one that wreaked global havoc less than two months ago.
Both had the appearance of hacker blackmail assaults known as ransomware attacks: screens of infected computers warn users their data will be destroyed unless ransoms are paid.
But in Ukraine's case, a more sinister motive - paralysis of the country's vital computer systems - may have been the motive, cyber security experts said on Wednesday. And many Ukrainians cast their suspicions on Russia.
Get The Straits Times
newsletters in your inbox
Cyber security experts based their reasoning partly on having identified the group of Ukrainian users who were initially and improbably targeted: tax accountants.
All are required by law to use a tax preparation software such as that made by a Ukrainian company, M.E.Doc. The software that runs on Microsoft Windows-based computers was recently updated. Microsoft issued a statement on Wednesday saying it "now has evidence that a few active infections of the ransomware initially started from the legitimate M.E.Doc updater process."
Cyber security experts said that whoever launched the assault - on the eve of a holiday celebrating Ukrainian independence - must have known that M.E.Doc software, which is integrated into Ukrainian government computers, was their gateway.
"You don't hit the day before Constitution Day for no reason," said Craig Williams, the senior technical researcher with the Talos division of Cisco, the U.S. technology company, which helped pinpoint the origin of the Tuesday attack.
Brian Lord, a former deputy director for intelligence and computer operations at Britain's Government Communications Headquarters, the country's equivalent to the National Security Agency, said, "This isn't about the money."
"This attack is about disabling how large companies and governments can operate," he added. "You get a double whammy of the initial cyber attack and then organisations being forced to shut down their operations." For Klimenko, the software update seemed to go fine - until hours later. "The screen became red," he said in an interview. "A warning appeared, and everything on the hard drive was scrambled."
Klimenko quickly realised he had lost all past-year filings, a catastrophe for an accountant. "Now I cannot confirm that I filed," he said. "Honestly, I don't understand what happened."
Yet to be determined is the source of the virus. But Russia was seen as the prime suspect because it has been engaged in overt and covert warfare with Ukraine since the 2014 revolution that deposed a Kremlin-friendly government.
A Russian role has yet to be proven and may never be. Nevertheless, analysts said on Wednesday that if the attackers' object was to sow chaos at the highest levels in Ukraine, M.E.Doc provided an ideal way. Its software is not only widely installed at government agencies and banks, but is mandatory at many Ukrainian businesses and government agencies.
M.E.Doc said in a statement that it could not confirm whether the virus had been distributed through the update, but that it was "cooperating with Ukraine's cyber police on the investigation." In another indication that Ukraine was a prime target, the national police said on Wednesday that more than 1,500 companies had filed complaints or appealed for help because of computer intrusions. That was far more than in other countries, although Russia seemed to be the second-most widely affected.
While analysts remained cautious about assigning blame, there was little reticence in official circles in Ukraine, particularly as it became clear that the country was the primary target. The timing was an especially clear sign of political intent, they said.
Adding to their suspicions, just a few hours before the computer strike, a Ukrainian military intelligence officer, Maksim Shapoval, was killed by a car bomb in Kiev. It was the latest in a string of assassinations of opponents and critics of Russia in the Ukrainian capital.
"War in cyberspace, seeding fear and horror among millions of personal computer users, and inflicting direct material damage from destabilizing the work of businesses and the state, is just one part of the hybrid war of the Russian empire against Ukraine," Anton Gerashenko, a member of Parliament, wrote on Facebook. The assassination of Shapoval is another, he wrote.
Gerashenko called the spread of the virus the "most massive computer attack in the history of Ukraine." He said it was only "masked as an effort to extort money from computer users," with the real goal economic disruption.
In this view, what began as a strike at Ukraine later, and perhaps inadvertently, spread to other countries merely as collateral damage.
The timing of the attack was suspect in another way, coming after a rare stretch of upbeat news in Ukraine. Last week, the European Union waived visa requirements for Ukrainians, at least those few fortunate enough to have the means to travel. That was a euphoric moment for many Ukrainians, some of whom could be seen celebrating with raised fists after gliding through immigration lanes in European airports.
President Petro O. Poroshenko met in Washington with President Donald Trump, undermining what politicians here say is an overarching Russian goal of weakening Ukraine by highlighting the incompetence and corruption of the government.
The attack also comes in the context of a long-running trade war between Russia and Ukraine, on the sidelines of the actual shooting war in eastern Ukraine between the government and Russian-backed separatists.