Sandworm (UAC-0165), a Russian hacking group, has been linked to an attack on Ukrainian state networks that involved wiping data from government devices using WinRAR, according to an advisory from the Ukrainian Government Computer Emergency Response Team (CERT-UA).
Several indicators point to Sandworm, the Ukrainian cyber defender agency also says: IP addresses, the presence of a modified version of RoarBat and “the method of implementation of the malicious plan.
How Attackers use WinRAR to Wipe Data
The hackers apparently used the RoarBAT script, which searches for files on the targeted machine with extensions including .doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .jpeg, .jpg, .zip, .rar, .7z, and several more, before archiving the files with WinRAR and applying the the “-df” option. Using this option automatically deletes the source files after archiving. The RoarBAT script then deletes the archived files, leading to total data loss.
The attackers likely used legitimate programs such as ‘dd’ and WinRAR to avoid detection by security software. Data on Linux systems can be similarly wiped using a BASH script, which leverages a standard command line tool to overwrite targeted files with zero bytes.
Apparently, Linux systems are not immune from the attack and can be compromised using a BASH script and the standard dd utility, whatever any of that means.
Indicators of Compromise (IoC)
- update1.bat (RoarBat):
- WinRAR.exe (Command line RAR):