Russian Hackers Use WinRAR to Wipe Ukraine State Agency’s Data
Cyber Security Threat Summary:
“The Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical systems in Ukrainian state networks. Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program. On Windows, the BAT script used by Sandworm is 'RoarBat,' which searches disks and specific directories for filetypes such as doc, docx, rtf, txt, xls, xlsx, ppt, pptx, vsd, vsdx, pdf, png, jpeg, jpg, zip, rar, 7z, mp4, sql, php, vbk, vib, vrb, p7s, sys, dll, exe, bin, and dat, and archives them using the WinRAR program. However, when WinRar is executed, the threat actors use the "-df" command-line option, which automatically deletes files as they are archived. The archives themselves were then deleted, effectively deleting the data on the device” (Bleeping Computer, 2023).
Security Officer Comments:
To maintain persistence, the actors ran the RoarBat BAT script through a scheduled task which was created and distributed on Windows devices via group policies. On targeted Linux systems, a Batch script was deployed instead, which employed the “dd” utility to overwrite files with zero bytes, ultimately erasing their content.
This is not the first time that Sandworm has carried out wiper attacks against Ukrainian organizations. For instance, earlier this year, the group deployed five different wiper malware on the systems of a news agency in Ukraine. However, the latest campaign wasn’t as sophisticated as no such executables were deployed. Rather the actors instead leveraged legitimate services like WinRar and “dd” to carry out their operations. The use of legitimate utilities seems to be a tactic employed Sandworm to evade scanning from anti-virus solutions hide attribution to the group.
Suggested Corrections:
Earlier last year, CISA released an advisory warning against wiper activity, providing mitigation measures organizations should take. In summary, CISA recommends filtering network traffic for malicious activity, enabling two-factor authentication, updating systems and software, filtering emails for spam, regularly scanning systems using anti-virus software, and creating backups for important data.
Link:
https://cert.gov.ua/article/4501891