Russian Hackers Breach Gov’t Systems Using Native Tools

Russian hackers breached government systems in Ukraine using stealthy tactics that rely heavily on legitimate tools to evade detection, according to new analysis by Symantec researchers. The campaign targeted public sector infrastructure and business services organizations, focusing on long-term access rather than immediate disruption.

Investigators tied the operation to Sandworm, a notorious military intelligence unit under Russia’s GRU. The group’s strategy emphasized minimal malware use, instead leveraging “living-off-the-land” techniques to harvest credentials and exfiltrate sensitive data. The Russian hackers breached government systems through webshells placed on exposed servers, likely exploiting unpatched vulnerabilities.

Once inside, attackers used built-in Windows utilities like rundll32.exe and reg.exe to perform memory dumps, disable security tools, and extract login data. Analysts observed sophisticated methods such as targeting KeePass vaults and employing rdrleakdiag for stealthy credential extraction. These actions enabled the threat actors to maintain access for months.

Read the full official report here:

Russian Hackers Attacking Government Entity Using Stealthy Living-Off-the-Land Tactics