Ukraine warns of Russian-linked Sandworm APT cyberattacks on public sector

The Ukrainian government’s Computer Emergency Response Team (CERT-UA) has warned about destructive cyberattacks against Ukrainian government networks, attributing the attacks to the Russian-linked Sandworm APT group with moderate confidence. 

The alert notes that ‘the performance of electronic computing machines (server equipment, automated user workstations, data storage systems) was impaired as a result of the destructive influence carried out using the appropriate software.’

According to CERT-UA, the threat actors accessed Ukraine’s public networks using compromised VPN credentials. Hackers then deployed RoarBat, a script that recursively searches for files according to a specified list of extensions (.doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .pdf, .png, .jpeg, .jpg, .zip, .rar, .7z, .mp4, .sql , .php, .vbk, .vib, .vrb, .p7s and .sys, .dll, .exe, .bin, .dat) to archiving using the legitimate WinRAR program with the ‘-df’ option, which deletes the source file. The script in question was run by a scheduled task.

CERT-UA is urging critical organisations in Ukraine to implement multifactor authentication for VPN accounts, network segmentation, and information flow filtering inbound, outbound, and between segments.

The Sandworm group has been active since 2000 and reportedly operates under the control of the Russian GRU’s 74455 division of the Main Center for Special Technologies (GTsST). It is most notably the author of the NotPetya ransomware.