Russian state-sponsored hackers have wiped data from devices belonging to Ukrainian state networks thanks to poorly protected VPNs, and malware (opens in new tab) that abuses popular archiving program WinRAR.
The Ukrainian Government Computer Emergency Response Team (CERT-UA) recently claimed a Russian threat actor, thought to be from the Sandworm group, managed to compromise Ukrainian state networks by using compromised VPN accounts that did not have multi-factor authentication (MFA) set up.
After getting access, the hacker would deploy malware dubbed “RoarBat” which essentially wipes the affected drives.
Deleting everything
What the malware does is searches the drive for files with different extensions, including .doc, .txt, .jpg, and .xlsx. It then calls for WinRAR to archive all those files, and adds the “-df” command-line option, which deletes all of the files that are being archived.
Once the work is done, the malware deletes the archive itself, essentially wiping all of the data found on the disk in one fell swoop.
The threat actors are also targeting Linux devices, the agency further stated, saying that for that OS, they’re using a Bash script and the “dd” utility to overwrite target files with zero bytes. “Due to this data replacement, recovery for files “emptied” using the dd tool is unlikely, if not entirely impossible,” BleepingComputer states.
This is not the first time such an attack targeted Ukrainian state networks, CERT-UA claims. In January 2023, the country’s state news agency, Ukrinform, was also targeted by Sandworm:
“The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023.” CERT-UA said.
The best way to defend against such attacks is to keep the hardware and software updated, to enable MFA whenever possible, and limit access to management interfaces as much as possible.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba