Serhiy Demedyuk, the deputy secretary of the national security and defence council, said Ukraine was working to establish who obtained such access, whether it was done externally or through an insider.
The comments are the first detailed explanation of how multiple Ukrainian websites were hit by a cyber strike that left a warning to “be afraid and expect the worst”, at a time when Russia has amassed troops near Ukraine’s borders.
“According to the preliminary conclusions of our experts … today’s attack occurred due to the use by third parties of access to the software administration rights of a company that had an advantage in developing websites for government agencies,” Demedyuk said in written comments.
“The specified software has been used since 2016 to create websites for government agencies, most of which became victims of today’s incident,” said Demedyuk, who used to be the head of Ukraine’s cyber police.
He did not name the third party company.
Ukraine said on Friday the cyberattack hit around 70 internet sites of government bodies including the security and defence council.
Demedyuk said his statements were preliminary findings.
“But for the final conclusion, law enforcement agencies need to conduct many examinations of the seized digital evidence, as well as to establish how and who exactly received such privileged administrative access, through outside interference or as a result of the illegal activities of an insider in this company,” he said.
Demedyuk did not say who might have been behind the attack, though Ukraine’s foreign ministry and its state security service pointed the finger of suspicion towards Russia.
Russia did not comment, but has previously denied being behind cyberattacks, including against Ukraine.