A Russian hacking group is targeting Ukrainian state networks in which data on government systems are destroyed using a malicious script, RoarBat. Sandworm, the hacking group responsible for the attack, gain access to critical systems in state networks using compromised VPN accounts that lack two-factor authentication.
How Sandworm wipes off data?
Instead of using malware, the attackers are employing dd command and WinRAR to evade detection by security solutions, according to an advisory released by CERT-UA. - Once the attackers gain access to the targeted network, they employ scripts that wipe files on Windows and Linux systems with the use of the WinRAR archiving program.
- A BAT script called RoarBat is used on Windows to search disks and specific directories for file types such as docx, doc, rtf, xlsx, txt, xls, ppt, pptx, and archive them using the WinRAR tool.
- It can delete instances of more than two dozen file extensions, including drivers.
To decommission a system running the Linux OS, a BASH script is employed to ensure that the standard dd utility is used for overwriting files with zero bytes.
Additional technical insights
The attacker utilizes the -df command-line option whenever WinRAR is executed, which automatically deletes files as they are archived. As a result, the archives delete themselves along with the data on the systems. - The RoarBat script is run by a scheduled task that is created and centrally propagated by Group Policy (GPO).
- Access to the IKS of the object is obtained by connecting to a VPN using compromised authentication data.
What to do?
CERT-UA suggests all organizations in Ukraine limit their attack surface, patch flaws, disable services that are not required, monitor network traffic and logs, and limit access to the management interface. Further, VPN accounts allowing access to organization networks should be protected with 2FA.