It was late afternoon in Ukraine on Tuesday, June 27, when a computer virus began spreading throughout the country, shutting down top energy companies, private and state banks, an airport, and Kyiv’s metro system. It appeared, at first, to be proliferating the same way the WannaCry ransomware attack had in May. But where that virus aggressively replicated itself over the internet, it soon became clear that this one primarily tried to spread within organizations.

That localized focused, however, didn’t match the sweeping damage Petya/NotPetya had done in Ukraine, seemingly hitting many organizations in the country simultaneously. According to an analysis of the event by Cisco’s threat intelligence team, which aided the investigation into the origin of the attack as it happened, researchers quickly found that M.E.Doc, the accounting software made by Intellect Service, “was at the center of activity.”

Engineers at Intellect Service allowed the researchers at Cisco to access their servers and assess what was happening. Before long, they had some answers.

“An unknown actor had stolen the credentials of an administrator at M.E.Doc. They logged into the server, acquired root privileges and then began modifying [its configuration file],” according to Cisco’s report. “At this point we understood that the actor in question had access to much of the network and many of the systems.”

Cisco and others later determined that hackers had implanted a backdoor into M.E.Doc software, allowing them to add malicious code to software updates the company made available to its customers on the day of the attack. About 80% of businesses in Ukraine use M.E.Doc, and Ukraine officials have reported that, in total, at least 2,000 computers in the country were infected with Petya/NotPetya.

Although Intellect Service wasn’t aware its systems had been hacked, officials say the company had not adequately protected its servers. Dmytro Shymkiv, a senior official in the Ukrainian government, told Reuters on Wednesday that the company’s servers hadn’t been updated since February 2013.

The Ukrainian government has accused Russia of masterminding the attack, and an article in Wired described Russia as using its neighbor as a “test lab for cyber war.” Moscow has denied any involvement.

📬 Sign up for the Daily Brief

Our free, fast, and fun briefing on the global economy, delivered every weekday morning.