Share this article on:
The Ukrainian Computer Emergency Response Team was alerted to a breach in the information and communications systems within a government agency, determining that computers had been “impaired” by the malicious script.
The script, RoarBat, is believed to search for files on specific extensions before archiving them on WinRAR.
CERT-AU then explained that the malicious script then enables “deletion of the source file, as well as subsequent deletion of the created archives”.
The Response Team expects that the script was injected when threat actors were able to connect to a VPN with compromised authentication information.
It is not the first time that the malicious script has created problems for Ukraine.
According to the Response Team, the file has the same hallmarks as an attack by the Sandworm group against Ukrinform in January, including the method of implementation, the IP addresses and the use of RoarBat.
The Response Team identified poor multifactor authentication practices for enabling the attack.
“Please note that the successful implementation of the attack was facilitated by the lack of multifactor authentication when making remote VPN connections, the lack of network segmentation and filtering of incoming, outgoing and inter-segment information flows,” a release from CERT-UA read.
“Once again, we urge responsible employees of organisations not to ignore reports of signs of abnormal activity and to take immediate measures to reduce ‘surface’ attacks: analyse and secure the organisation’s ‘external’ ICS perimeter (eliminate vulnerabilities, disable services, limit access to management interfaces, etc.).
“Ensure filtering incoming, outgoing, inter-segment information flows according to the principle ‘everything that is clearly not allowed is prohibited’ and introduce the use of multifactor authentication when providing remote access to ICS (VPN) and/or corporate services, such as e-mail, document management, and others.”
Just last month, the head of Ukraine’s Department of Cyber Information Security — part of the Security Service of Ukraine — poured cold water on assumptions that many Russian hacking groups are hacktivists taking part in the online war out of loyalty to the state.
“More than 90 per cent of all cyber attacks targeting Ukraine are either conducted by special services or by state-sponsored groups,” Illia Vitiuk told CyberScoop, while speaking at this week’s RSA Conference in San Francisco. “I do believe that there is no so-called ‘hacktivism’ in Russia at all.”
Vitiuk believes that the arrests of a number of prominent hackers in the lead-up to the invasion were simply intimidation.
“This was an attempt to intimidate them and others to show that you need to work for us,” Vitiuk said. “And now you need to work against Ukraine.”
This has led to arrested hackers offering to work for the government and even “donating” their profits to support “humanitarian aid” in Russian-occupied parts of Ukraine. Many of these hackers are “young but talented people searching for easy money”, Vitiuk said. Other hackers are motivated by wanting to avoid jail time.
“You attack, and we won’t put you into prison,” according to Vitiuk.
Vitiuk even believes that the Russian GRU is taking advantage of hacking groups’ Telegram channels to announce its own operations. Groups such as Sandworm — a cyber warfare unit within the GRU — even use fake hacking groups to launder stolen data.
However, Ukrainian hacking groups are volunteering to join the fight rather than being coerced, Vitiuk said.
“There were some people that were previously involved and even convicted for hacker activity in Ukraine that came to us and said, ‘Now we are fighting with you against Russia, what should we do?’,” he said.