Ukrainian Government Computer Emergency Response Team (CERT-UA) has issued a warning about destructive cyberattacks against Ukraine’s public sector by the Sandworm advanced persistent threat (APT) group, which has links to Russia.
Additionally, Sandworm has been active since 2000, operating under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). The group has used several names, including BlackEnergy, Iron Viking, TeleBots, UAC-0082 and Voodoo Bear.
It was responsible for the NotPetya ransomware attack that affected hundreds of companies worldwide in June 2017. In 2022, it used several wipers in attacks against Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs and ZeroWipe.
Furthermore, the threat actors used compromised virtual private network (VPN) credentials to gain access to Ukraine’s public networks. CERT-UA began investigating the attack after receiving information about an attack on one of the state organizations of Ukraine’s industrial control systems.
Attackers used a BAT script called RoarBat to search for files with specific extensions and archive them using the legitimate WinRAR program. They used WinRAR with the “-df” option to delete the source file after being added to the archives.
At the same time, the script was run by a scheduled task that was created and centrally distributed by Group Policy. On Linux systems, the APT group used a Bash script with the “dd” utility to overwrite specific file types with zero bytes.
CERT-UA recommends that critical organizations in Ukraine use multi-factor authentication for VPN accounts, network segmentation, and filtering of incoming, outgoing, and inter-segment information flows.
Finally, it also provided Indicators of Compromise (IoCs) for these attacks. CERT-UA believes that the similarities between this attack and the one on Ukrinform, which was published on the Telegram channel “CyberArmyofRussia_Reborn” on January 17, 2023, suggest that the Sandworm group was responsible for the recent attacks, although it states that it only has a moderate level of confidence in its attribution. The CERT has created the identifier UAC-0165 to track the group’s activities.
