Simultaneously, Linux systems were compromised using a bash script that took advantage of the dd utility to overwrite files with zeros, effectively avoiding detection by security software.

“It has been found that the operability of electronic computers (server equipment, automated user workstations, data storage systems) has been impaired as a result of destructive impact made with the use of the appropriate software“, has said CERT-UA.

“Access to the ICS target of the attack would have been achieved by connecting to a VPN using compromised authentication data. The successful implementation of the attack was facilitated by the lack of multi-factor authentication during remote connections to the VPN“.

The agency also moderately attributed UAC-0165 to the well-known Sandworm group (also known as FROZENBARENTS, Seashell Blizzard, or Voodoo Bear), which has a history of wiper attacks since the outbreak of the Russo-Ukrainian war last year.

The connection with Sandworm it derives from significant similarities with another destructive attack that hit the Ukrainian state news agency Ukrinform in January 2023, which has been associated with the opposing collective.

The alerts come a week after CERT-UA warned of phishing attacks carried out by the Russian state-sponsored APT28 group, which has been targeting government bodies in the country with fake Windows update alerts.

When not even the organizations are prepared

A curious consideration can be drawn from this article: very often not even high-level political organizations are well versed in information security, let alone the common user.

Unfortunately, not all of us are CERT-UA and in a computerized world we should learn a minimum to know what is done on the internet, regardless of the type of work.

But the problem lies right here: if institutions are often not prepared in IT, it is very difficult for users to be if they do not take the initiative on their own.