Symantec has uncovered complex cyber intrusions in Ukraine linked to Russian-affiliated threat actors, emphasizing the use of Living-off-the-Land techniques for stealthy operations. These campaigns involved minimal malware but demonstrated advanced knowledge of Windows tools for data theft and persistence. #Sandworm #LivingOffTheLand
Keypoints
- Attackers exploited unpatched vulnerabilities to deploy webshells on public-facing servers.
- The threat actors used legitimate Windows utilities like PowerShell and cmd.exe for reconnaissance and data exfiltration.
- Persistence was maintained through scheduled memory dumps, registry modifications, and custom PowerShell backdoors.
- The operations show a high level of skill in blending malicious activities with normal network behavior.
- While not definitively confirmed, the tactics strongly suggest links to the Russian Sandworm group.