Russian state-sponsored hackers have recently targeted Ukrainian state networks, employing compromised VPN accounts and exploiting vulnerabilities in the popular archiving program WinRAR. The Ukrainian Government Computer Emergency Response Team (CERT-UA) revealed that the hackers, believed to be from the Sandworm group, gained access to the networks by exploiting VPN accounts lacking multi-factor authentication (MFA).
Once inside the compromised systems, the hackers deployed malicious software called “RoarBat,” which proceeds to wipe the data from the affected drives. The malware systematically searches for files with various extensions, including .doc, .txt, .jpg, and .xlsx, and uses WinRAR to archive these files while simultaneously deleting them. The malware then erases the archive itself, effectively eliminating all the data on the disk in one go.
In addition to targeting Windows devices, the threat actors have also turned their attention to Linux devices. For Linux, they employ a Bash script and the “dd” utility to overwrite targeted files with zero bytes, making data recovery highly unlikely, if not impossible.
This is not the first instance of such attacks on Ukrainian state networks. In January 2023, the Sandworm group targeted the country’s state news agency, Ukrinform, using a similar method and a modified version of the RoarBat malware.
To defend against these types of attacks, it is crucial to keep hardware and software updated, enable multi-factor authentication whenever possible, and restrict access to management interfaces to minimize potential vulnerabilities. By adopting these preventive measures, organizations can significantly enhance their security posture and protect against such malicious cyber activities.
