HQ/EMEAFind out how we can help your business
The Russia-based hacking group, Sandworm, has allegedly attacked Ukrainian state networks using WinRAR to wipe data on government devices. According to CERT-UA, the Russian cybercriminal group utilised a compromised VPN account that did not employ multi-factor authentication (MFA) to access critical systems in Ukrainian state networks.
After the attackers acquired access to the targeted network, they adopted scripts that deleted files on Linux and Windows devices via the WinRAR archiving program. The BAT script utilised by Sandworm on Windows is RoarBat.
The script scours the targeted devices with disks and specific directories that have filetypes such as mp4, SQL, php, vb, zip, rar, 7z, VIB, pdf, png, jpeg, jpg, sys, dll, exe, bin, doc, docx, rtf, txt, xls, vsdx, verb, p7s, xlsx, ppt, pptx, vsd, and data, and sorts them leveraging the WinRAR program.
However, the attackers utilise the -df command-line option after executing WinRAR. This method allows them to wipe files after the sortation process automatically. After sorting, the folder will also remove itself from the device, permanently deleting the scoured files.
Researchers explained that the attackers operated RoarBAT through a schedule they developed and centrally spread to devices on the Windows infrastructure via group policies.
The Sandworm hacking group also uses Bash script for targeting Linux.
On the other hand, the Sandworm group utilised the Bash script instead of the BAT script in wiping data on Linux systems. The attackers employed the dd utility to overwrite targeted file types with zero bytes, resulting in the deletion of contents. Hence, device owners could not recover the files since the actors replaced and emptied the data.
Furthermore, since both programs are legitimate, the Sandworm hacking group could have likely used the dd command and WinRAR to bypass security detections. The Ukrainian researchers explained that the recent incident is like another attack that struck the Ukrainian state’s news agency earlier this year.
CERT-UA suggests all critical organisations in Ukraine should lessen their attack surface, fix vulnerabilities, limit access to management interfaces, deactivate unnecessary services, and monitor network logs and traffics. Lastly, VPN accounts that enable access to corporate networks should have MFA.
