Targeting of the Ukrainian public sector

Date of report

May 2023

Affiliations

Sandworm

The Russian threat group Sandworm was observed destroying data on Ukrainian state networks using a malicious script, RoarBat. Sandworm gained initial access to the networks by compromising VPN accounts that lacked two-factor authentication.

Suspected victims

Ukraine’s public networks

Suspected state sponsor

Russian Federation

Type of incident

Data destruction

Target category

Government

Victim government reaction

Policy response

Confirmation

Suspected state sponsor response

Unknown

Reverting UAC-0006: Mass distribution of SmokeLoader using "accounts" theme (CERT-UA#6613)
Russia-linked Sandworm APT uses WinRAR in destructive attacks on Ukraine’s public sector

Cyber Operations Tracker

CFR.org

Topics

Regions

Explainers

Research & Analysis

Communities

Events