Ukraine Experiences Prolonged Cyber Attacks

Executive Summary

Recent security incidents in Ukraine have revealed the growing use of stealth techniques that allow threat actors to remain undetected within networks. These compromises can result in operational disruption, data loss, and possible government interference. By implementing comprehensive logging, early detection of intrusions is achievable to prevent persistent access by adversaries. Establishing best practices and log management strengthens security postures and reduces the impact of future events. 

Background

Ukraine has been subjected to cyber attacks, with the most recent incidents possibly executed by the state-sponsored Russian group Sandworm. Using a combination of malware and Living-off-the-land (LOTL) attacks, which use the tools and programs already on the victim’s system, the threat actors were able to gain access to a large business entity for two months and a local government organization for a week [1]. The first sign of intrusion was detected on June 27, 2025, by the business that was affected, which was an exploitation of a web application due to possible unknown vulnerabilities existing. From then on, threat actors were able to maintain prolonged unauthorized access, execute malicious PowerShell commands, and perform memory dumps, which create a snapshot of a computer’s memory.

Sandworm is a prominent threat group that is part of Russia’s cyberwarfare unit, MUN 74455, and has previously been accused of carrying out cyber attacks on Ukraine. In 2024, Ukraine suffered a cyber incident that hindered critical infrastructure such as water, energy, and heating, all of which were attributed to a subgroup of Sandworm [2]. It is not fully established whether these two recent attacks are connected to the group; however, the tools that were used in the incidents are associated with Sandworm from previous campaigns, which raises suspicion. Due to the history of previous cyber operations conducted on Ukraine during their war against Russia and the connection of certain tools, many speculate that Sandworm is connected to this campaign. 

Impact

Campaigns utilizing LOTL techniques, like the ones conducted against Ukraine, are done through tools that already exist on the victim’s system, like PowerShell. Threat actors commonly gain higher-level access and stay quiet inside systems, and when applied to local governments and businesses, can lead to outages, stolen information, and costly repairs. Threat actors being able to gain personal information and data, and having a possible influence over future elections through access to government systems, should be recognized as legitimate threats [3]. Ultimately, these latest attacks highlight the importance of strengthening cybersecurity frameworks for both public and private sectors. 

Mitigation

Techniques and tools used in the most recent cyber attack on Ukraine were purposefully chosen in order to reduce detection. Log monitoring is the most advantageous mitigation to be used due to its detection of malicious activity. Maintaining application, security, network, and authentication logs can help with distinguishing between unauthorized and legitimate activities [4]. A combination of best practices, such as having Multi-factor authentication (MFA)  and Endpoint Detection and Response (EDR), with the addition of having robust logging capabilities, can help detect intrusions and persistent unauthorized access within an organization. 

Relevance

Contemporary geopolitical agendas have seen an increase in the use of cyber attacks, with nations relying on digital tools to influence, gather intelligence, and disrupt their adversaries. State-supported threat groups, such as Sandworm, are a reflection of recent coordinated campaigns that align with military and political objectives. These actions not only impact governments but also businesses and local entities that get caught in the crossfire. To strengthen defenses and prepare for future threats in both public and private sectors, there needs to be an understanding of geopolitical strategies. 

References

[4] America’s Cyber Defense Agency (2024, January 7). Identifying and Mitigating Living Off the Land Techniques. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/sites/default/files/2025-03/Joint-Guidance-Identifying-and-Mitigating-LOTL508.pdf

[1] Lakshmanan, R. (2025, October 29). Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics. The Hacker News. https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html

[2] Lakshmanan, R. (2024, April 27). Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw. The Hacker News. https://thehackernews.com/2024/04/ukraine-targeted-in-cyberattack.html

[3] Tkachuk, N. (2025, July). Ukraine as the Frontline of European Cyber Defence: Building Resilience in the Face of Russian Cyber Aggression. CCDCOE. https://www.ccdcoe.org/uploads/2025/07/Tkachuk_N_Tallinn_Paper_15_Ukraine-as-the-Frontline-of-European-Cyber-Defence.pdf