Wiper

The Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices.

In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical systems in Ukrainian state networks.

Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program.

Wiz

On Windows, the BAT script used by Sandworm is 'RoarBat,' which searches disks and specific directories for filetypes such as doc, docx, rtf, txt, xls, xlsx, ppt, pptx, vsd, vsdx, pdf, png, jpeg, jpg, zip, rar, 7z, mp4, sql, php, vbk, vib, vrb, p7s, sys, dll, exe, bin, and dat, and archives them using the WinRAR program.

RoarBat searching for specified files on certain directories
RoarBat searching for specified filetypes on all drives (CERT-UA)

However, when WinRar is executed, the threat actors use the "-df" command-line option, which automatically deletes files as they are archived. The archives themselves were then deleted, effectively deleting the data on the device.

CERT-UA says RoarBAT is run through a scheduled task created and centrally distributed to devices on the Windows domain using group policies.

Scheduled task set to run the script
Scheduled task set to run the BAT script (CERT-UA)

On Linux systems, the threat actors used a Bash script instead, which employed the "dd" utility to overwrite target file types with zero bytes, erasing their contents. Due to this data replacement, recovery for files "emptied" using the dd tool is unlikely, if not entirely impossible.

As both the 'dd' command and WinRar are legitimate programs, the threat actors likely used them to bypass detection by security software.

CERT-UA says the incident is similar to another destructive attack that hit the Ukrainian state news agency "Ukrinform" in January 2023, also attributed to Sandworm.

"The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel "CyberArmyofRussia_Reborn" on January 17, 2023." reads the CERT-UA advisory.

CERT-UA recommends that all critical organizations in the country reduce their attack surface, patch flaws, disable unneeded services, limit access to management interfaces, and monitor their network traffic and logs.

As always, VPN accounts that allow access to corporate networks should be protected with multi-factor authentication.

tines

Automated Pentesting Covers Only 1 of 6 Surfaces.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Related Articles:

Medtech giant Stryker fully operational after data-wiping attack

Russian hackers exploit Zimbra flaw in Ukrainian govt attacks

Medtech giant Stryker offline after Iran-linked wiper malware attack

APT28 hackers deploy customized variant of Covenant open-source tool

Russia arrests suspected owner of LeakBase cybercrime forum