Unsurprisingly, Russia-linked attackers continue to target Ukrainian organizations, new research from the Symantec and Carbon Black Threat Hunter team has revealed. Yet again, though, the intrusions are being discovered.
This time, a two-month long intrusion at a large – yet unnamed – business services company and a week-long attack against a local government agency were identified.
Both campaigns, though targeting different organizations, aimed to steal sensitive data and maintain long-term access.
According to the researchers, attackers used a custom Sandworm-linked webshell and relied extensively on living-off-the-land (LOTL) techniques and dual-use tools, deploying minimal malware to avoid detection while sustaining persistence within the compromised networks.
“The attackers gained access to the business services organization by deploying webshells on public facing servers, most likely by exploiting one or more unpatched vulnerabilities,” the researchers explained in a blog post.
“One of the webshells used was Localolive which, according to Microsoft, is associated with a sub-group of the Russian Sandworm group (also known as Seashell Blizzard) and has previously been used to provide initial access in a Sandworm campaign.”
The threat hunters said they haven’t yet been able to independently confirm a link to Sandworm but “the attacks did appear to be Russian in origin.”
Sandworm is an cyber espionage group that has a history of specializing in destructive attacks and campaigns targeting Internet of Things (IoT) devices. According to the US government, it is a unit of the Russian military intelligence agency, GRU.
The group has been most notably linked to disruptive attacks targeting the power grid in Ukraine, the VPNFilter attacks against routers, and the AcidRain campaign against Viasat satellite modems.
Sandworm is an cyber espionage group that has a history of specializing in destructive attacks and campaigns targeting Internet of Things (IoT) devices.
“While the attackers used a limited amount of malware during the intrusion, much of the malicious activity that took place involved legitimate tools, either living-off-the-land or dual-use software introduced by the attackers,” said the researchers.
“The attackers demonstrated an in-depth knowledge of Windows native tools and showed how a skilled attacker can advance an attack and steal sensitive information, such as credentials, while leaving a minimal footprint on the targeted network.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked