Ukrainian state network data erased with WinRAR in Sandworm attack

Russian advanced persistent threat group Sandworm has leveraged the WinRAR archiving program to destroy data on Windows and Linux machines in Ukraine's state networks, reports BleepingComputer. Ukraine's critical systems have been accessed through compromised VPN accounts, with WinRAR then used to enable scripts for wiping machine-stored files, according to a new advisory from the Ukrainian Government Computer Emergency Response Team. Sandworm was noted to have used the "RoarBat" script on Windows systems to delete different file types, including docx, xlsx, and exe, while a Bash script was leveraged on Linux systems. Such an incident resembles Sandworm's attack on Ukrainian state news agency Ukrinform in January, noted CERT-UA. "The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel "CyberArmyofRussia_Reborn" on January 17, 2023," said the CERT-UA advisory.