Ukrainian authorities are reporting that Russian hackers have used the WinRAR file compression device to wipe knowledge from computer systems at a number of authorities companies.
The Ukrainian Authorities Laptop Emergency Response Group (opens in new tab) (CERT-UA) claims (by way of Bleeping Laptop (opens in new tab)) that Russian hackers, presumably the notorious Sandworm group, acquired compromised VPN accounts which in flip supplied entry to official Ukrainian state networks.
The hackers apparently used the RoarBAT script, which searches for recordsdata on the focused machine with extensions together with .doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .jpeg, .jpg, .zip, .rar, .7z, and a number of other extra, earlier than archiving the recordsdata with WinRAR and making use of the the “-df” choice. Utilizing this selection mechanically deletes the supply recordsdata after archiving. The RoarBAT script then deletes the archived recordsdata, resulting in whole knowledge loss.
The hack is feasible because of the ubiquity of WinRAR on trendy PCs. Apparently, Linux techniques usually are not immune from the assault and might be compromised utilizing a BASH script and the usual dd utility, no matter any of meaning.
Ukraine’s CERT-UA says this newest hack is suspiciously much like one other assault earlier this yr on the Ukrainian state information company “Ukrinform” earlier this yr which was attributed to the Sandworm group.
“The strategy of implementation of the malicious plan, the IP addresses of the entry topics, in addition to the actual fact of utilizing a modified model of RoarBat testify to the similarity with the cyberattack on Ukrinform,” says CERT-UA.
Unsurprisingly, it additionally says that each one Ukrainian authorities operatives ought to tighten up on their VPN safety by way of enabling multi-factor authentication. Which might be a lesson for all of us, too.
