{
	"id": "291b4c53-48f4-4d73-ace1-dd70feea003f",
	"created_at": "2026-04-06T00:15:29.23025Z",
	"updated_at": "2026-04-10T13:12:59.61457Z",
	"deleted_at": null,
	"sha1_hash": "1c8d51997a48be6546fc0e4a48c010a4091bafbb",
	"title": "Russian hackers use WinRAR to wipe Ukraine state agency\u0026rsquo;s data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3499773,
	"plain_text": "Russian hackers use WinRAR to wipe Ukraine state\r\nagency\u0026rsquo;s data\r\nBy Bill Toulas\r\nPublished: 2023-05-03 · Archived: 2026-04-05 16:59:49 UTC\r\nThe Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar\r\nwas used to destroy data on government devices.\r\nIn a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian\r\nhackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical\r\nsystems in Ukrainian state networks.\r\nOnce they gained access to the network, they employed scripts that wiped files on Windows and Linux machines\r\nusing the WinRar archiving program.\r\nOn Windows, the BAT script used by Sandworm is 'RoarBat,' which searches disks and specific directories for\r\nfiletypes such as doc, docx, rtf, txt, xls, xlsx, ppt, pptx, vsd, vsdx, pdf, png, jpeg, jpg, zip, rar, 7z, mp4, sql, php,\r\nvbk, vib, vrb, p7s, sys, dll, exe, bin, and dat, and archives them using the WinRAR program.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/\r\nPage 1 of 4\n\nRoarBat searching for specified filetypes on all drives (CERT-UA)\r\nHowever, when WinRar is executed, the threat actors use the \"-df\" command-line option, which automatically\r\ndeletes files as they are archived. The archives themselves were then deleted, effectively deleting the data on the\r\ndevice.\r\nCERT-UA says RoarBAT is run through a scheduled task created and centrally distributed to devices on the\r\nWindows domain using group policies.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/\r\nPage 2 of 4\n\nScheduled task set to run the BAT script (CERT-UA)\r\nOn Linux systems, the threat actors used a Bash script instead, which employed the \"dd\" utility to overwrite target\r\nfile types with zero bytes, erasing their contents. Due to this data replacement, recovery for files \"emptied\" using\r\nthe dd tool is unlikely, if not entirely impossible.\r\nAs both the 'dd' command and WinRar are legitimate programs, the threat actors likely used them to bypass\r\ndetection by security software.\r\nCERT-UA says the incident is similar to another destructive attack that hit the Ukrainian state news agency\r\n\"Ukrinform\" in January 2023, also attributed to Sandworm.\r\n\"The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of\r\nusing a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about\r\nwhich was published in the Telegram channel \"CyberArmyofRussia_Reborn\" on January 17, 2023.\" reads\r\nthe CERT-UA advisory.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/\r\nPage 3 of 4\n\nCERT-UA recommends that all critical organizations in the country reduce their attack surface, patch flaws,\r\ndisable unneeded services, limit access to management interfaces, and monitor their network traffic and logs.\r\nAs always, VPN accounts that allow access to corporate networks should be protected with multi-factor\r\nauthentication.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/"
	],
	"report_names": [
		"russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1c8d51997a48be6546fc0e4a48c010a4091bafbb.pdf",
		"text": "https://archive.orkl.eu/1c8d51997a48be6546fc0e4a48c010a4091bafbb.txt",
		"img": "https://archive.orkl.eu/1c8d51997a48be6546fc0e4a48c010a4091bafbb.jpg"
	}
}