Cybersecurity researchers have uncovered a sophisticated campaign by Russian-linked threat actors targeting Ukrainian organizations. The attackers are employing "living off the land" (LotL) tactics, utilizing legitimate system tools and dual-use software to minimize their digital footprint and evade detection. This stealthy approach allows them to maintain persistent access and exfiltrate sensitive data.

Key Takeaways

• Russian-linked hackers are using "living off the land" tactics against Ukrainian entities.

• The attackers prioritize legitimate tools over traditional malware to remain undetected.

• Targets include business services organizations and local government entities.

• The goal appears to be data theft and establishing long-term network access.

Evolving Attack Methods

Organizations in Ukraine have been subjected to a prolonged cyberespionage campaign orchestrated by threat actors believed to be of Russian origin. The attacks, which targeted a large business services organization for two months and a local government entity for a week, relied heavily on "living off the land" (LotL) techniques. This strategy involves leveraging built-in operating system tools and legitimate software already present on compromised systems, making it significantly harder for security software to distinguish malicious activity from normal operations.

Initial Access and Reconnaissance

The attackers gained initial access by deploying web shells on public-facing servers, likely exploiting unpatched vulnerabilities. One identified web shell, Localolive, has been previously linked to a sub-group of the Russia-linked Sandworm crew. Following initial compromise, the threat actors conducted extensive reconnaissance. They utilized commands like , , and to map out the network and gather information about users and running processes. Notably, they modified Windows Defender configurations to exclude the Downloads folder from scans, creating a safe haven for deploying further tools.

Sophisticated Persistence and Data Harvesting

To establish persistent access, the attackers deployed OpenSSH for remote command-line control and configured Remote Desktop Protocol (RDP) without pre-authentication. They also created scheduled tasks to run PowerShell backdoors every 30 minutes, ensuring continued access even after system reboots. The attackers demonstrated a methodical approach to credential harvesting, using tools like the Windows Resource Leak Diagnostic tool to extract sensitive information from system memory and registry hives. Evidence suggests they were also interested in targeting password managers like KeePass.

Minimal Malware, Maximum Impact

Despite the deployment of some suspicious executables and PowerShell backdoors, the overall malware footprint was minimal. The attackers' proficiency in using legitimate Windows utilities and dual-use software highlights their advanced tradecraft. The presence of legitimate MikroTik router management software () in the Downloads folder was also noted, a tool previously associated with Sandworm campaigns targeting Ukrainian infrastructure. This campaign underscores the growing challenge of detecting sophisticated adversaries who can achieve significant objectives with minimal reliance on conventional malware.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics, The Hacker News.

• Russian Hackers Target Government with Stealthy “Living-Off-the-Land” Tactics, GBHackers News.

• Russian Hackers Launch Stealthy Living Off the Land Attacks on Government Entity, Cyber Press.

• Russian hackers breach orgs to track aid routes to Ukraine, BleepingComputer.