A single unprotected workstation was abused to harvest credentials, gain domain-admin access, and deploy stealth backdoors across virtual servers, routers, and telephony systems. Within hours the dispatch service was rendered inoperable.
The post CyberWar: Compromising a Russian Dispatch Service first appeared on Hackers Arise.
Welcome back, my aspiring cyberwarriors!
In the ongoing cyber conflict, municipal systems have become high-value targets, not for their strategic military role, but for the disruption they cause when taken offline. Modern city services run on fragile digital foundations. Behind every call center, repair ticket, and utility request is a network of interconnected systems that were never designed with modern cyberwarfare in mind. Many of these municipal platforms are built on outdated infrastructure, maintained by small IT teams, and protected by security tools that are misconfigured. In peacetime, these weaknesses might go unnoticed. But in the middle of a conflict, they become vulnerabilities that can bring an entire city’s operations to a standstill.
This time in cooperation with a Ukrainian hacker unit, we managed to get a hold of another enemy’s infrastructure.
Target
The Unified Dispatch Service of Korolyov (EDS) is a municipal 24/7 operations hub established by the city administration on January 1, 2015. It was created to streamline the handling of residents’ requests and emergencies related to housing and communal services, simplifying the process of submitting, monitoring, and resolving issues. From its inception, the project was staffed by a small team of 14 professional dispatchers working round-the-clock, and it initially handled around 600 calls per day across multi-line telephone channels. This early success validated the concept and led to rapid expansion. Over the years, the volume of daily requests has grown significantly. By October 2024, EDS was registering more than 1,700 appeals every day, spanning both routine inquiries and urgent problems like utility outages, elevator faults, lighting failures, road repairs, and public‑space maintenance.
As soon as a request arrives, it is logged in the system and routed to the relevant municipal or utility department. The dispatcher tracks the work through to completion, and the resident receives confirmation when the issue has been addressed.
Korolyov’s Dispatch Service has become a central repository of residents’ personal data, storing full names, addresses, phone numbers, emails and service-request histories through its online portal and app. Its collapse through cyberattack crippled multiple city services at once. For those reading this, let it serve as a reminder: avoid sharing your personal information with companies and small municipal services unless it is absolutely necessary. These organizations often operate with limited budgets, outdated infrastructure, and weak cybersecurity practices. As a result, your private data like names, addresses, contact details, and digital footprints can end up exposed or compromised. When breaches happen, it’s not just an IT issue, it becomes your problem too. Whenever possible, minimize what you hand over, and think twice before trusting that your information will be properly protected.
The Dawn
In March 2025 we managed to get access to the infrastructure of EDS. Quite often you see endpoints poorly secured either with no antivirus working, or it being incapable of defeating the threat. It was one of those cases. One of the endpoints we managed to compromise had no AV running and using a relatively outdated exploit we managed to get in. Luckily for us, a domain admin had an idle session on the same computer, which allowed us to dump hashes a few minutes later after the compromise.
In our experience, Defender is the last thing you should be concerned about. Although it may hinder you from running exploits and executing commands, it does not have the needed capabilities to ruin your opsec if you accidentally try to abuse it, unless it’s being actively monitored and logs are processed. Also, there’s almost always a host in any organization running with no AV. Mostly, it happens because of the software an organization might be using. Russians like pirated software, while the security products don’t. Running custom apps may also trigger alerts which may delete the app and its data. To avoid this a few hosts are left with no AV running.
Another common thing you may encounter is Kaspersky Security Center. Usually there is a separate host dedicated to being a center and admins spend a good amount of their time on these hosts.
If during a recon you find out that the machines in the domain are governed by a KSC, you should approach things with caution. Avoid noisy attacks like DCSync or Impacket tools as these attempts will quickly be reported on the dashboard. If things are misconfigured, and often they will be, the dashboard will be populated with dozens if not hundreds of alerts, digging through which is impossible and if you did something wrong, most likely you are going to be fine.
Initial recon is extremely important and the less noise you make the longer you survive in this game. Always approach targets as if they are tightly secured, because you never know what traps the enemy has for you. A good approach would be running SharpHound to collect data for BloodHound. SharpHound will produce a number of json files, which can also be manually parsed to extract computer names and usernames, using commands like sort and uniq to count the number of each Windows version present in the domain. You can get really creative here, if you like Linux terminals.
Here is how you’d run SharpHound
PS > SharpHound.exe -c All --Stealth
Keep in mind, all modern antiviruses have the signature of the latest SharpHound, so you will need to disable the AV first. After uploading the zip file directly to BloodHound, you will be able to see all the infrastructure on the screen. This domain was not big and did not have trusts which could potentially help us move on to the other domain, but this size of damage was enough to stop services from running for a few weeks until they fully rebuild a new infrastructure from scratch.
Attack
Late one March evening, the first sign of the breach appeared when their team noticed a sudden blackout of all interior camera feeds. The central video wall that was usually alive showing camera streams and stats went dark, then flickered into static. At that moment, we had already successfully compromised the entire domain and there was nothing to worry about. The wipers were scheduled and the IT team was simply incapable of terminating our access. We seized the camera system, gaining real-time access to dispatcher screens, conversations, and keystrokes to witness the organization’s downfall.
It all began with a little-noticed mail server host that lacked any antivirus protection. Once inside, we ran a memory‐dumping tool to harvest NTLM hashes from the host. Among the trove of credentials we collected was the hash of a domain admin account. Confident that the hash was correct, we performed a pass-the-hash attack against the domain-controller. The moment we gained domain-admin privileges, we created hidden service accounts and disabled critical security logs, ensuring that no alerts would be raised even if someone checked the logs later. Within hours, we escalated from passive observation to full system takeover. We pivoted from the DC into the virtual infrastructure by exploiting a weak admin password on the ESXi host.
Overnight, we loaded a stealthy hypervisor-level backdoor that allowed us to spin up rogue virtual machines under the radar. From that foothold, we moved laterally into the MikroTik routers controlling the network perimeter. By changing firewall rules and DNS settings, we isolated critical servers. That way they would be beyond reach when the hot stage of the attack begins.
By dawn, nearly every government agency account tied to the Unified Dispatch Service had been compromised. We gathered login credentials for housing inspectors, utility managers, road-repair crews, and municipal maintenance teams. With those credentials, we accessed the task-tracking platform that assigned work orders to field teams. This allowed us to delete months of tickets, project records, and repair schedules, effectively erasing the digital to-do list of the entire city.
The campaign did not stop there. We breached the private branch exchange that handled all inbound and outbound phone calls. Service logs showed dozens of lines going dead simultaneously, leaving residents unable to report emergencies or request support.
We also compromised the account of the region’s Internet and telephony provider, giving us control over external connectivity. Armed with that access, we shut down secondary network links and phone trunks, turning Korolyov’s dispatch center into an isolated island.
Finally, we struck at the heart of the AD itself. With domain-controller privileges in hand we removed every user and machine account from Active Directory. This destructive act left workstations, file shares, and internal services unable to authenticate any user. Without valid logins, the dispatch software, email, and intranet stopped working.
By midday, the city’s infrastructure was in ruins. The dispatchers who had once monitored every pothole complaint and power outage found themselves locked out of their consoles. The public-facing website collapsed under the attack. Pages were rendered in broken HTML, links pointing nowhere, and graphics absent.
Residents refreshing the page saw nothing but raw error messages and incomplete content. A good reminder of how a single breach can ripple across every corner of a city’s operations.
Summary
In March 2025, a single unprotected computer led to the complete shutdown of a city’s dispatch service. We moved from that weak point through the network, gaining full administrative control, planting backdoors, and taking over virtual servers, routers, and phone systems. We deleted months of service records, cut off communications, and locked every user out of the system, leaving critical municipal services without access to their tools or data. Within hours, the city’s main hub for handling emergencies and repairs went completely offline. By exploiting one small security gap you can cause an entire organization to collapse.
The post CyberWar: Compromising a Russian Dispatch Service first appeared on Hackers Arise.
Source: HackersArise
Source Link: https://hackers-arise.com/cyberwar-compromising-a-russian-dispatch-service/