The Ukrainian government has reported that Russian hackers used the WinRAR file compression utility to delete data from computers at several government agencies. According to the Ukrainian Computer Emergency Response Team (CERT-UA), the Sandworm group may have gained access to compromised VPN accounts that provided access to Ukraine's official government networks.
The hackers apparently used a script called RoarBAT to search for files on the target machine with extensions including.doc,.docx,.rtf,.txt,.xls,.xlsx,.ppt,.pptx,.jpeg,.jpg,.zip,.rar,.7z, and several others, and then used WinRAR to archive the files and the "-df" option, which automatically deletes the source files after archiving. The RoarBAT script then deleted the archived files, resulting in a complete loss of data.
The WinRAR utility, which is widely used on most modern computers, can be a reason for their compromise. It seems that Linux systems are not immune to such attacks, and the BASH script and the standard dd tool can be used to compromise them, despite the initial impression of security.
The Ukrainian Center for Information Security CERT-UA claims that the recent hack resembles the attack on the state information agency "Ukrinform" earlier this year, which was linked to the Sandworm group.
"The methods of implementing the malicious plan, the IP addresses of the attackers, and the use of a modified version of RoarBat indicate similarity to the cyber attack on Ukrinform," noted CERT-UA.
The center also strongly recommends that all Ukrainian state operators improve the security of their VPNs with multi-factor authentication. This should probably be a lesson for all of us.