Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Sandworm Behind Destructive Attacks

May 5, 2023
Reading Time: 2 mins read
in Alerts

Ukrainian Government Computer Emergency Response Team (CERT-UA) has issued a warning about destructive cyberattacks against Ukraine’s public sector by the Sandworm advanced persistent threat (APT) group, which has links to Russia.

Additionally, Sandworm has been active since 2000, operating under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group has used several names, including BlackEnergy, Iron Viking, TeleBots, UAC-0082 and Voodoo Bear.

It was responsible for the NotPetya ransomware attack that affected hundreds of companies worldwide in June 2017. In 2022, it used several wipers in attacks against Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs and ZeroWipe.

Furthermore, the threat actors used compromised virtual private network (VPN) credentials to gain access to Ukraine’s public networks. CERT-UA began investigating the attack after receiving information about an attack on one of the state organizations of Ukraine’s industrial control systems.

Attackers used a BAT script called RoarBat to search for files with specific extensions and archive them using the legitimate WinRAR program. They used WinRAR with the “-df” option to delete the source file after being added to the archives.

At the same time, the script was run by a scheduled task that was created and centrally distributed by Group Policy. On Linux systems, the APT group used a Bash script with the “dd” utility to overwrite specific file types with zero bytes.

CERT-UA recommends that critical organizations in Ukraine use multi-factor authentication for VPN accounts, network segmentation, and filtering of incoming, outgoing, and inter-segment information flows.

Finally, it also provided Indicators of Compromise (IoCs) for these attacks. CERT-UA believes that the similarities between this attack and the one on Ukrinform, which was published on the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023, suggest that the Sandworm group was responsible for the recent attacks, although it states that it only has a moderate level of confidence in its attribution. The CERT has created the identifier UAC-0165 to track the group’s activities.

Reference:
  • WinRAR as a “cyber weapon”. Destructive cyberattack UAC-0165 (probably Sandworm) on the state sector of Ukraine using RoarBat (CERT-UA#6550)
Tags: APTCERT-UACyber AlertCyber Alerts 2023Cyber AttacksMay 2023RussiaSandWormUkraine
ADVERTISEMENT

Related Posts

Fileless Remcos RAT Delivery Via LNK Files

APT28 RoundPress Webmail Hack Steals Emails

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

May 16, 2025
Fileless Remcos RAT Delivery Via LNK Files

Fileless Remcos RAT Delivery Via LNK Files

May 16, 2025
HTTPBot DDoS Threat To Windows Systems

Horabot Malware Targets LatAm Via Phishing

May 15, 2025
HTTPBot DDoS Threat To Windows Systems

Google Patches Chrome Account Takeover Bug

May 15, 2025
HTTPBot DDoS Threat To Windows Systems

HTTPBot DDoS Threat To Windows Systems

May 15, 2025

Latest Alerts

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Google Patches Chrome Account Takeover Bug

Horabot Malware Targets LatAm Via Phishing

HTTPBot DDoS Threat To Windows Systems

Subscribe to our newsletter

    Latest Incidents

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    Dior Breach Exposes Asian Customer Data

    Australian Human Rights Body Files Leaked

    Nucor Cyberattack Halts Plants Networks

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial