Ethical Hacking News
Russian hackers, likely linked to the notorious Sandworm group, have employed Living-Off-The-Land tactics against Ukrainian targets, exploiting legitimate tools to gain initial access and establish a persistent presence on compromised networks. The attackers utilized webshells, scheduled tasks, and PowerShell backdoors to steal data and maintain control over the systems.
Russian hackers linked to the Sandworm group employed Living-Off-The-Land (LOTL) tactics against Ukrainian targets using dual-use tools to steal data and maintain presence on networks. The attackers used webshells like Localolive, which were planted through exploited vulnerabilities, to gain initial access to systems. The custom webshell allowed them to execute commands, upload files, and establish a persistent presence on the networks without leaving behind significant evidence of their presence. Symantec observed that the attackers disabled Defender scans for the Downloads folder, created scheduled tasks to dump memory, and exported registry hives to harvest credentials. The attackers employed multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe.
The world of cybersecurity has witnessed numerous instances of threat actors utilizing various tactics to compromise the networks and systems of organizations across the globe. In a recent development, Russian hackers, likely linked to the notorious Sandworm group, have been observed employing Living-Off-The-Land (LOTL) tactics against Ukrainian targets.
According to a report published by Symantec and Carbon Black, these threat actors targeted several Ukrainian firms using LOTL tactics and dual-use tools to steal data and maintain their presence on the networks. This approach allowed them to evade detection and minimize the footprint left behind.
The attackers initially infiltrated a major business services firm for two months and a local government organization for a week. They utilized webshells like Localolive, which were planted through exploited vulnerabilities, to gain initial access. Microsoft had previously linked Localolive to the Sandworm group, which was used as an entry point for further malicious activities.
The custom webshell enabled the attackers to execute commands, upload files, and establish a persistent presence on the networks. This approach allowed them to maintain control over the compromised systems without leaving behind significant evidence of their presence.
Symantec observed that the first signs of intrusion began on June 27, 2025, when attackers installed a webshell via curl and ran reconnaissance tools to gather information about the system. They disabled Defender scans for the Downloads folder, created scheduled tasks to dump memory, and exported registry hives to harvest credentials.
Over the subsequent days, the attackers enumerated files and processes, created recurring minidump tasks, and used rdrleakdiag for full memory dumps. They executed suspicious executables from Downloads (service.exe, cloud.exe) and deployed OpenSSH to enable RDP/firewall rules and an SSH rule. A persistent PowerShell backdoor was also scheduled every 30 minutes.
It is worth noting that the attackers relied heavily on legitimate tools, demonstrating a deep understanding of Windows systems. This approach allowed them to minimize their footprint and evade detection by traditional security measures.
The Sandworm group has been active since 2000 and operates under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). The group is also associated with the NotPetya ransomware attack that affected hundreds of companies worldwide in June 2017.
In addition to the Sandworm group, the attackers employed multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. These tools were used to cause damage and disrupt critical infrastructure.
Symantec observed that the last evidence of malicious activity on the compromised systems dated back to August 20. While it is unclear whether these attackers are indeed linked to Sandworm, the report noted that the attacks appeared to be Russian in origin.
In conclusion, the recent incident highlights the evolving nature of cyber threats and the importance of staying vigilant against sophisticated attacks. The use of LOTL tactics by threat actors can make detection challenging, emphasizing the need for organizations to maintain robust security measures and stay informed about emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Utilize-Living-Off-The-Land-Tactics-Against-Ukrainian-Targets-ehn.shtml
https://securityaffairs.com/183999/apt/russian-hackers-likely-linked-to-sandworm-exploit-legitimate-tools-against-ukrainian-targets.html
Published: Wed Oct 29 12:39:29 2025 by llama3.2 3B Q4_K_M
