Suspected Russian hackers breached Ukrainian networks over the summer using legitimate administrative tools rather than custom malware, allowing them to steal data and remain largely undetected, cybersecurity firm Symantec reported.
According to Symantec’s investigation, the intrusions targeted two separate Ukrainian entities, a major business services company and a local government agency, in a pair of stealthy operations earlier this year.
Researchers said the attackers relied on so-called “living-off-the-land” techniques, which involve abusing software already installed on victims’ systems to carry out malicious actions.
In one case, the hackers reportedly gained access by deploying webshells on public-facing servers, likely exploiting unpatched vulnerabilities. One of the webshells, called Localolive, has previously been linked to Sandworm, a Russian military hacking unit associated with the GRU intelligence agency, well-known for its attacks against Ukrainian targets. Sandworm has been accused of a string of high-profile attacks, including the 2015 and 2016 Ukrainian power grid outages and the AcidRain malware that disabled Viasat satellite modems at the start of Russia’s full-scale invasion in 2022.
While Symantec didn’t attribute the attacks to Sandworm, it said the operations appeared to originate from Russia.
Ukraine’s cyber defense agency CERT-UA recently warned that Russian-linked cyber operations are intensifying. Officials reported more than 3,000 attempted cyberattacks against Ukrainian organizations in the first half of 2025, a 20% increase from the same period last year.