Ukraine State Networks Hit by Sandworm Group Cyberattack
Ukraine's state networks have reportedly fallen victim to a cyberattack, with data wiped from Windows and Linux systems
Photo: Wikimedia Commons
The Sandworm group, also known as APT 39, has been attributed to Russian Military Unit 74455 of the Main Intelligence Directorate (GRU) and is suspected of carrying out the attacks.
CERT-UA, Ukraine's computer emergency response team, has linked Sandworm to the recent offensive.
CERT-UA suggests that the attackers used compromised VPN accounts without multi-factor authentication to gain access to critical systems within the Ukrainian state networks. Once inside, the threat actors ran scripts that wiped files on Windows and Linux machines by leveraging the WinRar archiving program.
It is believed that the "dd" command and "Winrar," both legitimate programs, were used to avoid detection by security software.
WinRAR, a file archiving utility for Windows, searches and archives files on the system. However, when coupled with a batch file called "RoarBAT," WinRAR can search, archive, and then delete both the files and the archive itself.
This tactic impacts various file types, including documents, images, compressed files, multimedia files, and system files.
Linux systems were similarly wiped by running a BASH script and utilizing the standard dd utility, which overwrites targeted file types with zero bytes, rendering them unrecoverable.
Sandworm is strongly suspected due to the attackers' IP addresses, the modified "RoarBAT" script, and the similarity to a Sandworm team attack on the Ukrainian State News Agency "Ukrinform" in January 2023.
The group has also been linked to the 2015 and 2016 attacks against the Ukrainian electrical grid and government organizations, as well as the 2017 worldwide NotPetya attack.