Russian hackers use a blast from the Windows past to launch cyberattacks
Russian state-sponsored hackers have wiped data from devices belonging to Ukrainian state networks thanks to poorly protected VPNs, and malware that abuses popular archiving program WinRAR.
The Ukrainian Government Computer Emergency Response Team (CERT-UA) recently claimed a Russian threat actor, thought to be from the Sandworm group, managed to compromise Ukrainian state networks by using compromised VPN accounts that did not have multi-factor authentication (MFA) set up.
After getting access, the hacker would deploy malware dubbed “RoarBat” which essentially wipes the affected drives.
What the malware does is searches the drive for files with different extensions, including .doc, .txt, .jpg, and .xlsx. It then calls for WinRAR to archive all those files, and adds the “-df” command-line option, which deletes all of the files that are being archived.
Once the work is done, the malware deletes the archive itself, essentially wiping all of the data found on the disk in one fell swoop.
The threat actors are also targeting Linux devices, the agency further stated, saying that for that OS, they’re using a Bash script and the “dd” utility to overwrite target files with zero bytes. “Due to this data replacement, recovery for files “emptied” using the dd tool is unlikely, if not entirely impossible,” BleepingComputer states.
This is not the first time such an attack targeted Ukrainian state networks, CERT-UA claims. In January 2023, the country’s state news agency, Ukrinform, was also targeted by Sandworm:
> These are the best firewalls right now
> Russia’s quest to seize control of the internet in Ukraine
> Ukraine wants Russia kicked off the internet
“The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023.” CERT-UA said.
The best way to defend against such attacks is to keep the hardware and software updated, to enable MFA whenever possible, and limit access to management interfaces as much as possible.
- Here’s our rundown of the best endpoint protection right now