WinRAR Weaponized by Hacker Group Against Ukraine State Organizations

Governmental agencies in Ukraine have been disrupted by suspected Russian hackers, wiping documents and other data. According to a news release by the Ukrainian Government Computer Emergency Response Team (CERT-UA), and spotted by Bleeping Computer, compromised government VPN logins have been used to run the RoarBAT script on government PCs.

RoarBAT is a batch file that leverages the legitimate WinRAR app to search and archive files, then delete them, and then delete the archive. Linux systems aren't immune and can be similarly fouled-up using a BASH script and the standard dd utility.

The hackers involved are strongly suspected to be from the Russia-based Sandworm group. Infiltration success probably stemmed from Sandworm members being able to log into Ukraine government systems using VPNs that weren't very well secured. In the news bulletin, CERT-UA reminds users to enable multi-factor authentication (MFA) on all the accounts they use to access data.

(Image credit: CERT-UA)

Ukraine's CERT-UA notes that the above described attack is similar in some ways to the destructive file wiping rampage inflicted upon the Ukrainian state news agency "Ukrinform" earlier this year. That attack was also attributed to Sandworm.

TOPICS
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.