Cybersecurity researchers have identified a new wave of attacks targeting Ukrainian organizations that appear to be linked to the Russian-backed hacking collective known as Sandworm. According to findings by Symantec and VMware Carbon Black, the attackers infiltrated both a large business services provider and a local government agency, maintaining access for days or even months while gathering sensitive data.
The researchers revealed that the first attack involved a business services company where the threat actors remained undetected for more than two months. They are believed to have gained entry by exploiting vulnerabilities on public-facing servers and installing web shells to establish persistent access. Once inside, they relied heavily on built-in administrative tools, a method that allows attackers to move through networks without leaving obvious traces of malware.
One of the web shells discovered, known as LocalOlive, has been associated with previous operations attributed to Sandworm. While the researchers have not yet confirmed the direct involvement of the group, the overlap in tactics and toolsets strongly suggests a link. Sandworm, also known as APT44, is widely considered one of the most dangerous Russian cyber units and has been tied to some of the most disruptive operations in Ukraine’s recent history.
In the second incident, the attackers compromised a local government agency for roughly a week. Although the intrusion was shorter, the techniques used were nearly identical, suggesting that the same actor or an affiliated group was responsible. The campaign focused on exfiltrating files and collecting system data that could support later operations. No signs of data encryption or destructive malware were found, indicating that espionage rather than sabotage was the primary motive.
The timing and precision of these attacks are notable because they come amid ongoing geopolitical tensions and increased cyber activity across Eastern Europe. Ukraine remains one of the most targeted nations in the world, with many of its public and private institutions facing continuous digital assaults. Sandworm, which operates under the Russian military intelligence agency GRU, has been responsible for several major attacks in the past, including power grid disruptions, satellite interference, and large-scale data wiping incidents.
Unlike those previous attacks, the recent campaigns show a more discreet and patient approach. Instead of deploying malware that immediately disrupts operations, the attackers used methods designed to remain invisible for extended periods. This approach, known as living off the land, involves using legitimate system tools to conduct malicious activity. By blending in with normal administrative behavior, the attackers can move through systems, escalate privileges, and exfiltrate data without triggering standard security alerts.
This evolution in strategy highlights a shift in Sandworm’s operational priorities. Whereas previous campaigns sought to cause immediate and visible damage, the current operations suggest a focus on intelligence collection and long-term access. By gathering credentials and internal documents, the attackers can prepare for future operations or exploit the information for further strategic purposes.
Security experts warn that the implications of these findings go beyond the immediate victims. The use of stealthy, persistent techniques means that organizations may not even realize they have been compromised until long after the intrusion begins. Because attackers exploit tools already present in a system, traditional antivirus software often fails to detect them. For this reason, analysts recommend constant monitoring of network activity and behavior-based detection methods that can identify unusual patterns.
Ukrainian cybersecurity authorities have not issued an official statement about the incidents, but the report underscores the continuing risk to both public institutions and private companies operating in the country. The attackers’ choice of targets, business service providers and local government offices, suggests a broader interest in obtaining access to administrative systems that could later support larger coordinated operations.
The presence of the LocalOlive web shell and the consistency of tactics used across both attacks have led researchers to believe that these intrusions are part of a continuous campaign rather than isolated events. Sandworm’s long history of activity in Ukraine adds weight to this theory. The group has been linked to the 2015 and 2016 power grid attacks that left hundreds of thousands of Ukrainians without electricity, as well as the 2017 NotPetya outbreak that caused billions of dollars in global damage.
The difference now lies in how quietly the attackers operate. By avoiding high-profile attacks that draw attention, they increase their chances of maintaining access to valuable networks. This stealthy approach allows them to observe, collect, and prepare for potential future operations without immediate retaliation or exposure.
Researchers believe that these campaigns may serve dual purposes. They provide intelligence that can inform Russia’s military and strategic planning, while also creating a foundation for possible disruptive attacks if geopolitical conditions escalate. The blending of espionage and cyberwarfare is not new, but Sandworm’s evolving methods show that it continues to refine its capabilities with each operation.
Defending against this type of threat requires not only strong technical measures but also constant vigilance and cooperation between organizations. Experts urge Ukrainian institutions and their partners to review access controls, ensure that software is up to date, and adopt proactive detection systems that can spot the subtle signs of unauthorized activity. The ability to identify abnormal system behavior, rather than just known malware signatures, is now one of the most important defenses against advanced persistent threats.
The report concludes that these incidents represent another chapter in the ongoing cyber conflict surrounding Ukraine. They also serve as a reminder that cyberwarfare does not always involve overt attacks or dramatic disruptions. Sometimes it takes the form of quiet infiltration and slow data collection, designed to provide long-term strategic advantage rather than immediate impact.
The evolving nature of Sandworm’s activity demonstrates that the group remains active, adaptive, and deeply embedded in the broader context of state-sponsored cyber operations. For Ukraine and its allies, this means that defending against future attacks will require continuous improvement in detection capabilities and an unrelenting focus on cybersecurity readiness.
Site Disclaimer
2-remove-virus.com is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.
The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.