Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Sandworm Behind Destructive Attacks

May 5, 2023
Reading Time: 2 mins read
in Alerts

Ukrainian Government Computer Emergency Response Team (CERT-UA) has issued a warning about destructive cyberattacks against Ukraine’s public sector by the Sandworm advanced persistent threat (APT) group, which has links to Russia.

Additionally, Sandworm has been active since 2000, operating under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group has used several names, including BlackEnergy, Iron Viking, TeleBots, UAC-0082 and Voodoo Bear.

It was responsible for the NotPetya ransomware attack that affected hundreds of companies worldwide in June 2017. In 2022, it used several wipers in attacks against Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs and ZeroWipe.

Furthermore, the threat actors used compromised virtual private network (VPN) credentials to gain access to Ukraine’s public networks. CERT-UA began investigating the attack after receiving information about an attack on one of the state organizations of Ukraine’s industrial control systems.

Attackers used a BAT script called RoarBat to search for files with specific extensions and archive them using the legitimate WinRAR program. They used WinRAR with the “-df” option to delete the source file after being added to the archives.

At the same time, the script was run by a scheduled task that was created and centrally distributed by Group Policy. On Linux systems, the APT group used a Bash script with the “dd” utility to overwrite specific file types with zero bytes.

CERT-UA recommends that critical organizations in Ukraine use multi-factor authentication for VPN accounts, network segmentation, and filtering of incoming, outgoing, and inter-segment information flows.

Finally, it also provided Indicators of Compromise (IoCs) for these attacks. CERT-UA believes that the similarities between this attack and the one on Ukrinform, which was published on the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023, suggest that the Sandworm group was responsible for the recent attacks, although it states that it only has a moderate level of confidence in its attribution. The CERT has created the identifier UAC-0165 to track the group’s activities.

Reference:
  • WinRAR as a “cyber weapon”. Destructive cyberattack UAC-0165 (probably Sandworm) on the state sector of Ukraine using RoarBat (CERT-UA#6550)
Tags: APTCERT-UACyber AlertCyber Alerts 2023Cyber AttacksMay 2023RussiaSandWormUkraine
ADVERTISEMENT

Related Posts

GreedyBear Steals $1M via Firefox Add-ons

GreedyBear Steals $1M via Firefox Add-ons

August 8, 2025
GreedyBear Steals $1M via Firefox Add-ons

Fake WhatsApp Libraries Hide Wipers

August 8, 2025
GreedyBear Steals $1M via Firefox Add-ons

SocGholish Spreads via Ads to Gangs

August 8, 2025
Critical Bugs Found in Dell Firmware

HTA Malware Uses Court Summons Lures

August 7, 2025
Critical Bugs Found in Dell Firmware

ClickFix Uses CAPTCHAs to Spread Malware

August 7, 2025
Critical Bugs Found in Dell Firmware

Critical Bugs Found in Dell Firmware

August 7, 2025

Latest Alerts

Fake WhatsApp Libraries Hide Wipers

GreedyBear Steals $1M via Firefox Add-ons

SocGholish Spreads via Ads to Gangs

Critical Bugs Found in Dell Firmware

HTA Malware Uses Court Summons Lures

ClickFix Uses CAPTCHAs to Spread Malware

Subscribe to our newsletter

    Latest Incidents

    Clinical Data Stolen from DaVita

    US Federal Court Filing System Hacked

    Air France, KLM Hit by Third-Party Hack

    PBS Data Breach Leaks Employee Info

    Phishing Scam Costs NYC Firm $19M

    Bouygues Telecom Hit by Cyberattack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial