Russian hackers use a blast from the Windows past to launch cyberattacks

(Image credit: Elchinator from Pixabay)

Russian state-sponsored hackers have wiped data from devices belonging to Ukrainian state networks thanks to poorly protected VPNs, and malware that abuses popular archiving program WinRAR.

The Ukrainian Government Computer Emergency Response Team (CERT-UA) recently claimed a Russian threat actor, thought to be from the Sandworm group, managed to compromise Ukrainian state networks by using compromised VPN accounts that did not have multi-factor authentication (MFA) set up.

After getting access, the hacker would deploy malware dubbed “RoarBat” which essentially wipes the affected drives. 

Deleting everything

What the malware does is searches the drive for files with different extensions, including .doc, .txt, .jpg, and .xlsx. It then calls for WinRAR to archive all those files, and adds the “-df” command-line option, which deletes all of the files that are being archived. 

Once the work is done, the malware deletes the archive itself, essentially wiping all of the data found on the disk in one fell swoop. 

The threat actors are also targeting Linux devices, the agency further stated, saying that for that OS, they’re using a Bash script and the “dd” utility to overwrite target files with zero bytes. “Due to this data replacement, recovery for files "emptied" using the dd tool is unlikely, if not entirely impossible,” BleepingComputer states.

This is not the first time such an attack targeted Ukrainian state networks, CERT-UA claims. In January 2023, the country’s state news agency, Ukrinform, was also targeted by Sandworm:

"The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel "CyberArmyofRussia_Reborn" on January 17, 2023." CERT-UA said.

The best way to defend against such attacks is to keep the hardware and software updated, to enable MFA whenever possible, and limit access to management interfaces as much as possible.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.