‘Living off the land’ allowed Russia-linked group to breach Ukrainian entities this summer

Steven

‘Living off the land’ allowed Russia-linked group to breach Ukrainian entities this summer

Summary

Researchers at Symantec found that suspected Russia-linked hackers breached two Ukrainian organisations this summer by relying on legitimate administrative tools already present on victims’ systems — a tactic known as “living-off-the-land”. The intrusions hit a large business services company and a local government agency. Attackers used webshells on public-facing servers (one webshell, Localolive, has previous ties to Sandworm) and deployed PowerShell backdoors and other suspicious executables that Symantec could not obtain for analysis. Attribution points to activity originating from Russia, though a direct tie to Sandworm wasn’t confirmed. Ukraine’s CERT-UA warns such campaigns continue to rise alongside the war, with thousands of attacks recorded in 2025.

Key Points

  • Attackers used “living-off-the-land” tactics — abusing built-in Windows tools and legitimate software to operate stealthily.
  • Intrusions involved webshells on public-facing servers, likely exploiting unpatched vulnerabilities.
  • One webshell, Localolive, has been previously linked by Microsoft to Sandworm, a GRU-associated unit.
  • Symantec observed PowerShell backdoors and other suspicious executables, but some samples remain unavailable for analysis.
  • Ukraine’s CERT-UA reports a year-on-year rise in cyberattacks, reflecting an ongoing, large-scale targeting campaign linked to the conflict.

Content summary

Symantec’s report documents two separate breaches earlier in the year where attackers minimised custom malware use and maximised the use of dual-use and native Windows tools to steal data and credentials while keeping a low profile. The initial foothold was gained via webshells on internet-facing servers, suggesting exploitation of unpatched flaws. Although Symantec could not definitively link the incidents to Sandworm, indicators suggest Russia as the source. The victims were not publicly named and the extent of data theft remains unclear.

Context and relevance

This fits a wider trend where skilled threat actors favour stealthy, low-footprint operations that are harder to detect and attribute. For organisations operating in conflict zones or supporting critical functions, the report is a reminder to prioritise patching of public-facing services, monitor for webshell activity, and harden detection for misuse of legitimate admin tools. It also underscores persistent nation-state pressure on Ukrainian targets and the continued role of known Russian-linked groups in disruptive and espionage operations.

Why should I read this?

Short version: if you manage servers, run public-facing apps or deal with Ukrainian infrastructure, this is relevant. These attackers weren’t flashy — they used stuff admins already trust. Reading the detail helps you spot the small misconfigurations that let big breaches happen.

Author style

Punchy: This is important — not because of dramatic new malware, but because clever misuse of everyday tools lets advanced actors slip past many defences. If you care about risk reduction, the operational takeaways here are immediately usable and worth a proper look.

Source

Source: https://therecord.media/russia-linked-breaches-ukraine-living-off-the-land