Russia-linked Sandworm APT uses WinRAR in destructive attacks on Ukraine’s public sector

CERT-UA is warning of destructive cyberattacks conducted by the Russia-linked Sandworm APT group against the Ukraine public sector.

Russia-linked APT group Sandworm is behind destructive cyberattacks against Ukrainian state networks, the Ukrainian Government Computer Emergency Response Team (CERT-UA) warns.

The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. 

The threat actors allegedly obtained access to Ukraine’s public networks by using compromised VPN credentials.

CERT-UA started investigating the attack after it received information about an attack against an ICS system of one of the state organizations of Ukraine.

The attackers used a BAT script dubbed RoarBat that recursively searches for files with specific extensions (.doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .pdf, .png, .jpeg, .jpg, .zip, .rar, .7z, .mp4, .sql , .php, .vbk, .vib, .vrb, .p7s and .sys, .dll, .exe, .bin, .dat) to archive them using the legitimate WinRAR program.

The attackers were observed using WinRAR with the “-df” option to delete the source file after being added to the archives. The script was run by a scheduled task that was created and centrally distributed by means of Group Policy (GPO).

On Linux systems, the APT group used a Bash script with the “dd” utility to overwrite specific file types with zero bytes.

“The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyber attack on Ukrinform, information about which was published in the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023.” reads the alert published by CERT-UA. “Thus, despite the coverage of the fact of the cyberattack using another telegram channel, CERT-UA associates the described activity with a moderate level of confidence with the activities of the Sandworm group, but the appropriate identifier UAC-0165 was created for its point tracking.”

CERT-UA urges Ukrainian critical organizations using multi-factor authentication for VPN accounts, network segmentation and filtering of incoming, outgoing and inter-segment information flows.

The CERT also provided Indicators of Compromise (IoCs) for these attacks.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: 

https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sandworm)