• Sat. Aug 19th, 2023

Russian Hackers Employ WinRAR to Erase Data of Ukrainian State Agency

Jun 27, 2023
Russian hackers target Ukrainian data with WinRAR
Harper Stewart

WinRar was used in an assault on Ukrainian state networks by the hacking organization known as the “Sandworm” from Russia, which resulted in the destruction of data on official apparatus.

Russian hackers reportedly used compromised VPN accounts that lacked multi-factor authentication to get into critical systems on Ukrainian state networks, according to recent guidance from the Ukrainian Government Computer Emergency Response Team (CERT-UA).

Once they had access to the network, they used WinRar archiving software to run scripts that deleted files on Linux and Windows computers.

The “RoarBat” BAT script that Sandworm uses on Windows looks for file types including doc, docx, rtf, txt, xls, and others on disks and in particular folders, then archives them with the WinRAR application.

However, when WinRar is launched, the hackers use the “-df” command-line option, which immediately deletes files as they are stored.  The archives were then deleted along with the data on the gadget.

According to CERT-UA, RoarBAT is executed by a scheduled job that was generated and centrally disseminated to Windows domain-enabled machines using group settings.

Instead, the threat actors on Linux systems utilized a Bash script that made use of the “dd” program to erase the contents of the target file types by overwriting them with zero bytes. Recovery for files that have been “emptied” with the dd program is unlikely, if not completely impossible, as a result of this data substitution.

Since WinRar and the ‘dd’ command are both trusted applications, the threat actors probably used them to avoid being discovered by security software.

The event, according to CERT-UA, resembles another damaging attack that was launched by Sandworm on the Ukrainian official news agency “Ukrinform” in January 2023.

All crucial enterprises in the nation are advised by CERT-UA to minimize their attack surfaces, fix vulnerabilities, shut down unnecessary services, restrict access to administrative interfaces, and keep track of their network traffic and records.

Multi-factor authentication should always be used to secure VPN accounts that grant access to business networks.