National Cyber Warfare Foundation (NCWF)

Welcome back, cyberwarriors! In my previous article I detailed the process of infiltrating the Avtodor, the Russian state-run company overseeing the construction and maintenance of roads and highways. In part II we finally execute our well laid plans. Taking Over the Specialized Vehicles Most dispatcher terminals ran a vehicle monitoring app—basic fleet management. You’d expect […]

The post CyberWar: The Breach at Avtodor– Control and Collapse – Breaking Down the Infrastructure, Part 2 first appeared on Hackers Arise.

Welcome back, cyberwarriors!

In my previous article I detailed the process of infiltrating the Avtodor, the Russian state-run company overseeing the construction and maintenance of roads and highways. In part II we finally execute our well laid plans.

Taking Over the Specialized Vehicles

Most dispatcher terminals ran a vehicle monitoring app—basic fleet management. You’d expect some login protection and technically it was there. But in more than one case, the login and password were the same. Low effort, low defense. Once inside, we could see everything: routes, current tasks, maintenance logs, even mechanical health stats for individual parts of each vehicle.

Fleet activity report generated from a GPS/telemetry system

GPS tracking and activity report for utility vehicles

We could track them in real time, stop them, and watch the weather in that part of Moscow where they were. You name it! It was full visibility and full control.

If you’ve seen Mr. Robot, you’ll remember that scene where the FBI was tailing a taxi with Elliot and Darlene in it. Irving called dispatch, claimed the car was stolen, and they shut it down remotely. Same concept here. It was live.

Data Exfiltration

By the time we got to this stage, we knew the system inside and out. Exfil was quick. Sometimes manual—grab what you need as you go. Other times scripted, if the target folders were obvious or if we were short on time.

Small files were pulled out using Evil-WinRM through the SOCKS proxy. For bigger dumps, we used PowerShell scripts like PSUpload. Could we have gone full covert with ICMP or DNS tunneling? Sure. But it wasn’t necessary. The real threat wasn’t the network—it was the user and whatever AV they had running.

Paranoia

This part was saved for the collaborators, people working in the occupied zones. Like in Dante’s circles, traitors had the worst fate.

It took a week of steady pressure: accounts deleted, passwords changed, password reset codes spammed to phones, active sessions shut down across Telegram, WhatsApp, browser syncs. 2FA tokens were revoked. Authenticator apps unlinked. Anything that could be touched, was touched. If we couldn’t delete the account, we wiped the contents.

Some had seed phrases stored in Telegram saved messages, right there on their workstations. Those phrases didn’t stay there long.

Now imagine waking up to that. Day after day. You don’t know how deep it goes. Maybe someone’s watching your webcam. Maybe your mic is live. It’s not the breach that gets them, it’s the uncertainty.

Web Application: Digital Access Control

There was a centralized web app managing access permits for vehicles and workers. You could issue new permits or revoke existing ones. You could even hire and fire staff by adding or removing IDs in the backend.

The login screen for an internal system used by the Moscow municipal road services

Globador, used for managing employee access

We didn’t hesitate. All active permits were revoked. IDs started vanishing from the system. By the end, it looked like a startup with one lonely admin left—except we changed his password too. Now it was our account.

The Rugpull

4 AM Moscow time was the best window for this task. Low traffic. Fewer eyes. Fewer questions. That gave us a solid two-hour block to hit the entire network without resistance.

By this point, Windows Defender was disabled across all critical machines. That was handled earlier. The plan was to drop ransomware and encrypt systems in one synchronized hit.

If the environment uses Active Directory, you can use Group Policy to push a scheduled task across all systems. That task downloads a payload from a shared folder and runs it. If no AD? You upload executables manually. Slower, but still gets the job done, just needs more hands or more time. But be careful, If they cut the internet as a defense, that’s when lights go out for all of us.

For larger environments without AD, we set up individual scheduled tasks on each system with SYSTEM-level privileges. That way, they all execute at once and cook the entire network clean.

Here’s how you set up a scheduled task in CMD or PowerShell:

schtasks /create /tn “Windows Update Service” /tr “C:\Windows\Tasks\RANSOME.exe” /sc daily /st 04:00 /ru System /f

To confirm it’s in place:

schtasks /query /tn “Windows Update Service”

And if you ever need to force it early:

schtasks /run /tn “Windows Update Service”

CMD is your friend here, it’s quieter than PowerShell, which logs everything. Set the task daily, just in case. If the grid drops at 4 AM, you get another shot tomorrow. Let the machines handle the rest.

Here you can see some of them “well-done”. The entire network, of course, wouldn’t fit the screen.

Taking Over the Cloud

Once we sorted through the internal data, we found credentials to their cloud systems. The cloud was used to monitor production with data coming in from various sites, all centralized for analysis.

We got lucky. The admin account was compromised early. We had full control. But we didn’t go loud. Instead, we dismantled it piece by piece. It started with quiet database edits. Not deletion, but distortion. So when backups ran, they saved corrupted data. Over time, the backups themselves were poisoned.

User access control interface for the Moscow city government

After about a month of quiet manipulation, we flipped the switch. Deleted users, wiped records, wrecked the environment from the inside. This happened right after we crippled their internal network, so there was no quick fix.

They scrambled to rebuild the cloud from scratch. Some data might be gone forever. That’s the kind of loss you can’t patch over.

Conclusion

From initial access through the supply chain to full control over Avtodor’s infrastructure, this operation showed how deep a network can be penetrated when persistence, planning, and patience come together. We moved through cloud environments, dispatcher systems, surveillance feeds, and vehicle control platforms collecting intel, disrupting operations, and leaving no corner untouched.

The exfiltration was clean. The sabotage was deliberate. The system was compromised from inside out, quiet at first, then loud enough to leave a lasting mark.

Hope you cyberwarriors learned something new about access, control, timing, and the art of staying hidden until it’s time to strike!