Computer attacks have been a constant since the start of the war between Russia and Ukraine. Both sides have perpetrated several hacks with the aim of disrupting the enemy’s plans, although now a rather peculiar case has been known. According to collect Tom’s Hardware, Russian hackers have used WinRAR to attack Ukrainian government agencies and remove large amounts of files from their computers.
The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the incident. According to the specialized cybersecurity entity, hackers have managed to gain access to some of the most important government systems to destroy data stored on your computers. And the weapon of choice was none other than the popular WinRAR file compression software.
But how could Russian hackers use WinRAR for this purpose? As explained by the experts, the attackers managed to access Ukrainian government systems using VPN accounts that had been compromised in advance, and were not protected by a multi-factor authentication system.
Russian hackers turn WinRAR into a weapon against Ukraine
After gaining access to the Ukrainian computers, the cybercriminals were able to exploit the legitimate WinRAR installation on the affected PCs to remove the desired files. For Windows computers, the hackers ran a modified version of a script called RoarBAT. This is a batch file that is used to search a wide range of files on specific drives and directories.
Among the supported formats are those corresponding to Word documents (.doc or .docx), Excel spreadsheets (.xls or .xlsx), images (.jpg, .png, etc.), PDF files, multimedia material (. mp4), compressed files (.zip, .rar, .7z) and even executables (.exe), among many others.
When Russian hackers found the files they intended to delete, sent them to WinRAR for archiving. The key point is that they did it using the option “-df”, via the Windows command line. In this way, all the original data was deleted as it was archived, and the script also finished deleting the archived file. Thus, it is estimated that the malicious actors managed to destroy a large amount of information, although the actual scope of the violation has not been disclosed.
Deleting files in bulk
But the attack was not limited to computers running Microsoft’s operating system and WinRAR. In the case of computers with Linux distributions, hackers used a bash script to carry out the attack. Once they found the documents to delete, they used the command “dd” to overwrite them with zero-byte files.
Ukrainian cybersecurity experts indicated that both the WinRAR and Bash script attacks could have been prevented. Specifically, if the login credentials of government agencies had been protected with a multi-factor authentication system. Based on the IP addresses and method of carrying out the attack, the Ukrainians target Russian hackers from the Sandworm group like their authors.