Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Sandworm Behind Destructive Attacks

May 5, 2023
Reading Time: 2 mins read
in Alerts

Ukrainian Government Computer Emergency Response Team (CERT-UA) has issued a warning about destructive cyberattacks against Ukraine’s public sector by the Sandworm advanced persistent threat (APT) group, which has links to Russia.

Additionally, Sandworm has been active since 2000, operating under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group has used several names, including BlackEnergy, Iron Viking, TeleBots, UAC-0082 and Voodoo Bear.

It was responsible for the NotPetya ransomware attack that affected hundreds of companies worldwide in June 2017. In 2022, it used several wipers in attacks against Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs and ZeroWipe.

Furthermore, the threat actors used compromised virtual private network (VPN) credentials to gain access to Ukraine’s public networks. CERT-UA began investigating the attack after receiving information about an attack on one of the state organizations of Ukraine’s industrial control systems.

Attackers used a BAT script called RoarBat to search for files with specific extensions and archive them using the legitimate WinRAR program. They used WinRAR with the “-df” option to delete the source file after being added to the archives.

At the same time, the script was run by a scheduled task that was created and centrally distributed by Group Policy. On Linux systems, the APT group used a Bash script with the “dd” utility to overwrite specific file types with zero bytes.

CERT-UA recommends that critical organizations in Ukraine use multi-factor authentication for VPN accounts, network segmentation, and filtering of incoming, outgoing, and inter-segment information flows.

Finally, it also provided Indicators of Compromise (IoCs) for these attacks. CERT-UA believes that the similarities between this attack and the one on Ukrinform, which was published on the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023, suggest that the Sandworm group was responsible for the recent attacks, although it states that it only has a moderate level of confidence in its attribution. The CERT has created the identifier UAC-0165 to track the group’s activities.

Reference:
  • WinRAR as a “cyber weapon”. Destructive cyberattack UAC-0165 (probably Sandworm) on the state sector of Ukraine using RoarBat (CERT-UA#6550)
Tags: APTCERT-UACyber AlertCyber Alerts 2023Cyber AttacksMay 2023RussiaSandWormUkraine
ADVERTISEMENT

Related Posts

Sothebys Data Breach Exposes Customers

Microsoft Pulls 200 Suspicious Certificates

October 17, 2025
Sothebys Data Breach Exposes Customers

NK Hackers Hide Malware In Blockchain

October 17, 2025
Sothebys Data Breach Exposes Customers

Hackers Spread Malware With Blockchain

October 17, 2025

Fortinet And Ivanti Patch Severe Flaws

October 16, 2025

Malicious VSCode Extensions Steal Crypto

October 16, 2025

Fake Password Manager Hijack PCs

October 16, 2025

Latest Alerts

Microsoft Pulls 200 Suspicious Certificates

NK Hackers Hide Malware In Blockchain

Hackers Spread Malware With Blockchain

Fortinet And Ivanti Patch Severe Flaws

Malicious VSCode Extensions Steal Crypto

Fake Password Manager Hijack PCs

Subscribe to our newsletter

    Latest Incidents

    Pro Hamas Hackers Target Airport Speakers

    Prosper Breach Hits 17 Million Accounts

    Sothebys Data Breach Exposes Customers

    F5 Reports Hackers Stole Source Code

    YouTube Down Globally With Playback Errors

    Spanish Retailer Mango Discloses Breach

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial