Russian Hackers Employ Stealthy Tactics to Infiltrate Ukrainian Organizations
In recent months, Ukrainian organizations have been the target of sophisticated cyberattacks orchestrated by Russian-affiliated threat actors. These adversaries have employed stealthy techniques to exfiltrate sensitive data and establish persistent access within compromised networks.
According to a comprehensive report by Symantec and Carbon Black’s Threat Hunter Team, two significant entities in Ukraine were affected: a prominent business services organization, infiltrated over a two-month period, and a local government body, compromised for a week.
Exploitation of Public-Facing Servers
The attackers initiated their campaigns by exploiting unpatched vulnerabilities in public-facing servers. This approach allowed them to deploy web shells, such as LocalOlive, facilitating the delivery of subsequent malicious payloads like Chisel, plink, and rsockstun. Notably, LocalOlive has been associated with the Sandworm group, a Russian-linked cyber espionage unit, and has been in use since at least late 2021.
Living-Off-the-Land (LotL) Techniques
A hallmark of these attacks is the utilization of Living-Off-the-Land (LotL) tactics. By leveraging legitimate system tools and processes, the attackers minimized their digital footprint, making detection challenging. This strategy involved:
– PowerShell Commands: Executing commands to exclude specific directories from antivirus scans and setting up scheduled tasks for periodic memory dumps.
– Registry Manipulation: Saving copies of registry hives and modifying settings to permit Remote Desktop Protocol (RDP) connections, thereby facilitating remote access.
– Reconnaissance Activities: Enumerating files, listing active user sessions, and identifying running processes, particularly those associated with password storage vaults like KeePass.
Deployment of Dual-Use Tools
The adversaries also deployed dual-use tools to maintain access and exfiltrate data:
– OpenSSH Installation: Setting up OpenSSH servers to enable secure remote access.
– Scheduled Tasks: Creating tasks to execute unknown PowerShell backdoors at regular intervals, ensuring continued control over the compromised systems.
– Use of Legitimate Applications: Deploying applications like winbox64.exe, a MikroTik router management tool, which has been previously linked to Sandworm campaigns targeting Ukrainian infrastructure.
Implications and Attribution
While direct attribution to Sandworm remains unconfirmed, the tactics, techniques, and procedures (TTPs) observed align with those of Russian-origin threat actors. The strategic use of LotL methods and minimal malware deployment underscores a deliberate effort to evade detection and maintain long-term access within critical Ukrainian organizations.
Conclusion
These incidents highlight the evolving nature of cyber threats facing Ukraine, emphasizing the need for robust cybersecurity measures, timely patching of vulnerabilities, and continuous monitoring to detect and mitigate such stealthy intrusions.
