Ukraine’s government emergency response team (CERT-UA) detected a cyberattack against an unnamed government organization seeking to disable server equipment, user workstations and data storage systems.
CERT-UA has linked this attack to Sandworm (UAC-0165), a threat actor believed to be one of Russia's military cyber units. The team said the recent attack used a combination of BAT and Bash scripts to destroy files on both Windows and Linux machines.
In case of Windows systems the threat actor leveraged RoarBat, a BAT script designed to search certain files, archive them using the legitimate WinRAR software and then delete both the original file and the archive.
On Linux machines Sandworm used a Bash script and the “dd” utility to replace the content of the file with zero-bytes.
CERT-UA says that the threat actor gained initial access to the victim’s systems through the VPN service using compromised credentials. The team has also noted that this attack is similar to another destructive Sandworm operation that targeted Ukrainian state news agency Ukrinform in January 2023 with at least five malware wipers, including CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD).
Earlier this week, CERT-UA detailed a phishing campaign orchestrated by a Russia-linked threat actor known as APT28, which targeted Ukrainian government organizations with fake ‘Windows Update’ guides.