Various government agencies in Ukraine have reported that Russian hackers have used the WinRAR file compression tool to delete data from their computers. According to the Ukrainian Government Computer Emergency Response Team (CERT-UA), the hackers gained access to official Ukrainian state networks via compromised VPN accounts. The RoarBAT script was used to search for files with specific extensions, which were then archived with WinRAR and the “-df” option applied. This option automatically deletes the source files after archiving, resulting in total data loss.
It is suspected that the Sandworm group, a Russian hacker group, is responsible for the attack. The method of implementation of the malicious plan, IP addresses of the access subjects and the use of a modified version of RoarBat are suspiciously similar to the cyberattack on Ukrainian state news agency “Ukrinform” earlier this year, which was attributed to the Sandworm group.
The hack was due to the ubiquity of WinRAR on modern PCs. Even Linux systems are vulnerable to the attack and can be compromised using a BASH script and the standard dd utility. Ukrainian CERT-UA advises all government operatives to tighten their VPN security by enabling multi-factor authentication.
This latest attack on Ukrainian government computers highlights the need for tighter cybersecurity measures. Multi-factor authentication should be enabled on all systems to prevent unauthorized access. It is crucial to ensure that all software is up-to-date, and all security patches are installed as soon as possible to reduce the risk of malicious cyberattacks.