Russian state-sponsored hackers have wiped information from gadgets belonging to Ukrainian state networks due to poorly protected VPNs, and malware (opens in new tab) that abuses widespread archiving program WinRAR.

The Ukrainian Authorities Pc Emergency Response Group (CERT-UA) just lately claimed a Russian risk actor, regarded as from the Sandworm group, managed to compromise Ukrainian state networks by utilizing compromised VPN accounts that didn’t have multi-factor authentication (MFA) arrange.

After getting entry, the hacker would deploy malware dubbed “RoarBat” which basically wipes the affected drives. 

Deleting all the pieces

What the malware does is searches the drive for recordsdata with totally different extensions, together with .doc, .txt, .jpg, and .xlsx. It then requires WinRAR to archive all these recordsdata, and provides the “-df” command-line possibility, which deletes the entire recordsdata which are being archived. 

As soon as the work is finished, the malware deletes the archive itself, basically wiping the entire information discovered on the disk in a single fell swoop. 

The risk actors are additionally concentrating on Linux gadgets, the company additional acknowledged, saying that for that OS, they’re utilizing a Bash script and the “dd” utility to overwrite goal recordsdata with zero bytes. “As a consequence of this information alternative, restoration for recordsdata “emptied” utilizing the dd device is unlikely, if not completely inconceivable,” BleepingComputer states.

This isn’t the primary time such an assault focused Ukrainian state networks, CERT-UA claims. In January 2023, the nation’s state information company, Ukrinform, was additionally focused by Sandworm:

“The tactic of implementation of the malicious plan, the IP addresses of the entry topics, in addition to the very fact of utilizing a modified model of RoarBat testify to the similarity with the cyberattack on Ukrinform, details about which was printed within the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023.” CERT-UA mentioned.

One of the best ways to defend towards such assaults is to maintain the {hardware} and software program up to date, to allow MFA at any time when potential, and restrict entry to administration interfaces as a lot as potential.

• Here is our rundown of one of the best endpoint safety (opens in new tab) proper now

By way of: BleepingComputer (opens in new tab)