Russian attackers use stealthy living-off-the-land tactics to target Ukrainian organisations

A recent analysis by cybersecurity firms Symantec and Carbon Black reveals that Russian-linked threat actors have conducted sophisticated campaigns against Ukrainian entities by relying on living-off-the-land techniques and minimal malware. These operations have targeted a major business services organisation for two months and a local government body for one week, according to the findings.

 

 

The attacks began with the deployment of web shells on public-facing servers within the business organisation’s network, likely after the exploitation of one or more unpatched vulnerabilities. Once access was established, the attackers used native tools such as PowerShell to evade detection, setting up scheduled tasks and creating memory dumps every thirty minutes.

Among the tools used by the intruders was “LocalOlive,” a web-shell previously attributed to a subgroup of the Russia-linked Sandworm team within what is known as the BadPilot campaign. Despite this connection, researchers have not yet found definitive proof that the campaign is part of Sandworm’s activities.

The attackers also executed commands to list running processes starting with “kee,” suggesting they were likely targeting the KeePass password manager vault. They then installed software such as OpenSSH, modified network traffic rules, created scheduled tasks for backdoors, and introduced a legitimate router-management tool named “winbox64.exe” in order to mask malicious activity.

This operation falls within a broader pattern of Russian-origin e-crime where threat actors use minimal footprints and rely heavily on legitimate system tools rather than obvious malware. The goal appears to be persistent access and data theft rather than immediate disruption. The researchers describe how attackers can leverage deep knowledge of the Windows ecosystem to break in, move laterally, steal credentials, and avoid detection for extended periods.

The report notes that one of the key challenges in responding to such attacks is the use of native utilities rather than custom exploit binaries. When operations are executed using tools already present in the environment, they can bypass many traditional endpoint security solutions that focus on detecting external threats or known malware.

While the analysis did not identify a specific criminal actor or threat group with certainty, the evidence suggests that a Russia-based organisation, or at least one operating from that region, is likely behind the campaign. Experts warn that as law enforcement and intelligence pressure grow, these threat actors are increasingly operating like businesses, using dual-use tools and adopting minimal footprints to remain below detection thresholds.

For organisations operating in Ukraine and beyond, the incident underscores the importance of monitoring native tool usage, reviewing scheduled tasks, and auditing remote access protocols. Defence teams must assume that attackers may already be inside their networks, using legitimate system tools to sample data and move quietly. Executing prompt vulnerability management, behavioural monitoring, and enhanced logging is essential to prevent or detect these low-profile campaigns.

These findings come as the cyber-threat landscape evolves, with increasing overlap between nation-state operations and organised crime. Although this particular campaign appears focused on theft rather than immediate sabotage, the same tactics could be applied to critical infrastructure, supply chains, or sectors where persistent access is highly valued.