Posted on May 5, 2023 at 3:21 PM
Russian Sandworm hacking group uses WinRAR to steal data from Ukraine
Sandworm, a hacking group based in Russia, has been associated with an attack on Ukrainian state networks. In these attacks, WinRAR is used to destroy the data present on government devices. The report on this attack comes as threat actors based in Russia continue with hacktivist activities against adversaries.
Russian Sandworm hacking group steals data from Ukraine
The Ukrainian Government Computer Emergency Response Team (CERT-UA) has published a new advisory. In the advisory, CERT UA has said that Russian hackers were using compromised VPN accounts that were not protected using multi-factor authentication to gain unauthorized access into the critical systems of state networks in Ukraine.
After the hacking group has gained access to a Ukrainian state network, they use scripts that are wiped on files available on Windows and Linux devices. They do this using the WinRAR archiving program.
On Windows devices, the BAT script used by the Sandworm hacking group is known as RoarBat. RoarBat is used to conduct searches on disks and some directories. The search is conducted to search for file types such as doc, docx, xls, png, jpg, jpeg, rtf, xls, ppt, xlsx, vsd, vsdx, zip, bin, php, vib, vbk, among others.
After the hackers search these file types, they will later archive them with the WinRAR program. After the WinRAR has been executed, the threat actor will use the “-df” command-line option that will automatically eliminate the files as they are archived on the platform.
The hackers later delete these archives, which will effectively get rid of data on the target device. According to CERT-UA, RoarBAT is run using a scheduled task created and centrally distributed to devices operating through the Windows domain and via group policies.
Regarding Linux systems, the threat actors will use a Cash script. This script uses the “dd” utility that will overwrite target file types using zero bytes, erasing the data. Because of the data replacement, the process of recovering files that have been lost using the dd tool is not possible.
This hack can be difficult to detect because the “dd” command and WinRAR are legitimate programs. The threat actors behind the breach are likely using the programs to bypass detection by security software. This technique allows hackers to exist within a computer system without a user knowing their system has been compromised.
According to CERT-UA, this hacking incident is similar to another attack that targeted the Ukrainian state news agency, Ukrinform, in January this year. This attack was also linked to the Sandstorm hacking group.
The advisory published by CERT-UA further said that “The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel “CyberArmyofRussia_Reborn on January 17, 2023.”
CERT-UA has also recommended that all the crucial organizations working in the country must reduce their attack surface and issue a patch to fix vulnerabilities. The agency has also recommended that the affected organizations disable the unneeded services and limit access to management interfaces. It is also recommended that one monitors their network traffic and logs.
The VPN accounts that enable access to corporate networks should also be protected using multi-factor authentication. This will ensure that hackers do not have an access point that will enable them to compromise a system.
Russian hacking groups launch attacks
Russian hacking groups have been increasingly launching attacks targeting Western countries amid the ongoing Russian invasion. These groups have launched several attacks over the past year, most of which are distributed denial-of-service (DDoS) attacks.
The KillNet hacking group has been especially notorious in such exploits, having launched DDoS attacks targeting countries that have supported Ukraine and NATO in the ongoing invasion. The hacking group is media-savvy, and it claims responsibility for the attacks it has conducted.
The most recent attack done by a Pro-Russian hacking group targeted Sweden’s parliament. The DDoS attack brought down the website of the Swedish parliament, and it made some of the services inaccessible. However, the website has since been restored despite having a slower speed tan before. A similar attack happened last year when pro-Russian hackers targeted the Finnish parliament in a DDoS exploit.