WinRAR Weaponized for Attacks on Ukrainian Public SectorUkraine Links Attacks to Russian Intelligence Sandworm Hackers
Ukrainian cyber defenders said they spotted a malicious script used to activate the delete option on a Windows file archiving utility likely planted by the Russian intelligence agency threat actor known as Sandworm.
In a Saturday alert, the Computer Emergency Response Team of Ukraine said an investigation carried out at an unnamed state agency revealed a Windows batch file script that cursively searches for Word documents or databases. The script, dubbed RoarBat, uses the WinRar archiving and compressing application to delete instances of any of more than two dozen file extensions including drivers.
CERT-UA says attackers likely were able to penetrate the state agency through a compromised VPN credential.
Several indicators point to Sandworm, the Ukrainian cyber defender agency also says: IP addresses, the presence of a modified version of RoarBat and "the method of implementation of the malicious plan." They all share similarities with a January attack on Ukrinform, the Ukrainian national news agency.
The Telegram channel known as "CyberArmyofRussia_Reborn" published information about the Ukrinform attack, but Ukrainian defenders assess with moderate confidence that the actual hackers were Sandworm.
Cyber threat intel company Mandiant assessed - again with moderate confidence - that CyberArmyofRussia_Reborn coordinates with the Russian GRU military intelligence service, possibly by acting as the distribution channel of data stolen by APT28, also known as FancyBear. Sandworm is also a GRU unit and the groups have collaborated.
The January cyberattack delayed a press briefing by the head of the State Service of Special Communications and Information Protection, Yurii Shchyhol, to address Russia's hybrid warfare techniques.
Russian hacking objectives have shifted over the course of its invasion against Ukraine initiated in February 2022. The Ukrainian government recently concluded that energy infrastructure is now a main focus. A group of cyberwar experts convened by the European Cyber Conflict Research Initiative concluded that wipers will remain a mainstay of Russian hacking (see: Cyber Experts Predict More Harmful Cyberattacks in Ukraine).