The Russian hacking group known as ‘Sandworm’ has been identified as the culprit behind an attack on Ukrainian state networks, where they used WinRar to erase data on government devices. The Ukrainian Government Computer Emergency Response Team (CERT-UA) revealed that the hackers exploited compromised VPN accounts lacking multi-factor authentication to gain access to critical systems in the state networks. Once inside, they utilized scripts that utilized the WinRar archiving program to wipe files on both Windows and Linux machines. Sandworm employed a BAT script called ‘RoarBat’ on Windows, which identified specific file types and automatically archived them using WinRar’s “-df” command-line option that deleted files during the archiving process. On Linux, they used a Bash script that employed the “dd” utility to overwrite target file types with zero bytes. The attack bears similarities to a previous destructive attack on the Ukrainian state news agency in January 2023, also attributed to Sandworm. CERT-UA recommends various security measures for critical organizations, including reducing attack surface, patching vulnerabilities, disabling unnecessary services, limiting access, and implementing multi-factor authentication for VPN accounts.
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.
Source: Bleeping Computer