Dismissed access: hackers have increased attacks with the help of "dead souls"

Hackers have become more likely to penetrate the computer networks of companies and government agencies using the accounts of former employees, cybersecurity companies told Izvestia. For example, it was in this way that the attackers stole information from the internal databases of one of the state medical organizations for six months. About how hackers use these loopholes and what this forgetfulness is fraught with when deleting accounts of those who have been dismissed, see the Izvestia article.

How hackers use "dead souls"

Russian government and commercial structures have become more often attacked with the help of "dead souls" — through the accounts of former employees, cybersecurity companies told Izvestia. Attackers take advantage of the fact that companies forget to delete these accounts for some reason.

For example, one of the Russian state organizations in the field of healthcare came under such an attack, experts from the Solar 4RAYS cyber Threat Research Center told Solar Group. Hackers from the pro-Ukrainian group Shedding Zmiy penetrated its infrastructure through the accounts of former employees on a corporate VPN server, a virtual private network that ensures staff confidentiality and integrity of information transmitted through open communication channels. As a result, the attackers stole the organization's secret information from internal databases for more than six months.

— In this case, information security specialists of the medical organization noticed various incidents and eliminated their consequences, — said Denis Chernov, an expert at Solar 4RAYS. — But their antivirus could not recognize the samples of other people's malware, they also did not delete the accounts of former employees in time and did not identify the source of the compromise. As a result, the attackers came back again and again.

After connecting to the network through the account of a former employee, hackers compromised the server account for managing the company's databases — it had an unreliable password.

"A few days later, the attackers compromised many employee accounts, with which they began to move and infect the infrastructure," the experts added. — In addition, hackers have added a new module to their styler. He made it possible to steal information from browsers and take screenshots from users' devices, that is, to receive data not only from the organization's databases, but also directly from employees' devices."

The hack is like this: every fifth Russian company has been hacked and does not know about it

Cyber spies discreetly collect critical information, which they then use for their own purposes.

Such attacks are widespread and affect organizations from different fields, confirmed Nikolay Spirikhin, head of the Softline Solutions Network Security Competence Center (Softline Group). Banks, insurance companies, industry, healthcare, telecommunications, and government agencies are most often under attack.

"Once inside, attackers start accessing internal information systems and gaining access to them — stealing confidential data, installing malware, activating unused and old accounts, creating new ones and increasing their access level," the expert noted. — This is often followed by attacks on partner or affiliated organizations.

Head of BI.ZONE DFIR Fyodor Skvortsov told Izvestia that a similar situation occurred in another company in 2025.

"When analyzing the compromise of the infrastructure, we reached the perimeter host, where there was a vulnerability that allowed an attacker to gain access to the account of an employee who left the company back in 2022," he said. — At the same time, his account was not blocked in the system.

What are the dangers of non-deleted accounts?

In 2025, Shedding Zmiy actually stopped or significantly reduced its activity, Denis Chernov noted.

—Pro—Ukrainian hackers probably went into a lull to update their tools and return with renewed vigor, which means they already pose a serious threat to all key Russian organizations," he stressed.

In such incidents, it is important to understand that the problem is not limited to a VPN or a specific service, Fyodor Skvortsov added.

"Accounts of former employees or contractors that have not been disabled in a timely manner pose a serious threat, regardless of where they are used: in VPNs, mail systems, cloud services or internal applications," the expert noted. — Such accounts often go unnoticed for years and become a convenient entry point for intruders.

For example, they really like to use accounts from remote access services: according to the Threat Zone 2026 study, this is how 18% of attacks on Russian companies begin. Attackers use both password brute force and stylers. The company's field of activity does not matter, the expert added.

According to the company, about 5% of domain accounts have not been used for more than three years.

"This highlights the scale of the problem, because, in fact, any of these uncontrolled accounts can become a door for intruders, and these are great risks," Fyodor Skvortsov emphasized. "35% of highly critical incidents last year were related to compromised passwords from privileged accounts.

The situation is aggravated by the fact that VPN access in many organizations is implemented through the same domain accounts: the same logins and passwords are used, so compromising one pair of data immediately gives access to both the network and internal systems, added Dmitry Babich, a leading engineer at the Information systems support department, UDV Group.

"The main way to detect it is not to search for the fact of login itself, but to analyze anomalies in the behavior of accounts," he said. — Suspicious signs may include out-of-hours logins, connections from atypical geographical locations, or actions uncharacteristic of the user, such as bulk data uploads or attempts to access unusual systems.

Secret passage: how hackers attack smartphones with hidden viruses

Malware is running in the background for cybercriminals

Who is responsible

Responsibility for non-deleted employee accounts through which unauthorized access occurred is complex and depends on the distribution of responsibilities within the organization, as well as on the established requirements of legislation and internal regulations, Ekaterina Kosareva, managing partner of the VMT Consult agency, recalled.

"First of all, we are talking about the responsibility of the employer as an operator of information systems and, in some cases, personal data," she said. — In accordance with current laws, it is the organization's responsibility to ensure an appropriate level of information protection, including timely termination of access for dismissed or transferred employees.

If it is established that the incident occurred as a result of improper organization of access control processes, the company may be held administratively liable, and if there is damage, civil liability.

— The distribution of functions between divisions is of particular importance, — Ekaterina Kosareva added. — If the obligation to block or delete accounts is assigned to specific officials, such as employees of the IT service or information security units, their actions or omissions may result in disciplinary liability. In case of gross negligence or intentional violation of internal regulations, the issue of financial liability may also be considered.

If a data leak or hacking has led to serious consequences, including causing major damage or violating requirements for the protection of restricted access information, criminal prosecution is not excluded, but only if there is evidence of a crime and specific perpetrators are identified.

Such cases show how critical it is to build account management processes: timely disable access for dismissed employees, regularly audit accounts and monitor the use of privileged rights, said Fyodor Skvortsov.

"According to our statistics, 72% of the affected companies lacked two—factor authentication when accessing the VPN, and 70% did not have full control over privileged accounts," the expert said. — In such circumstances, even one forgotten account can become a starting point for compromising the entire infrastructure.

To avoid incidents, it is necessary to have a standardized, or better yet automated, procedure for revoking all permits of a dismissed employee related to the company's IT infrastructure, says Ashot Oganesyan, founder of DLBI's data leak intelligence and darknet monitoring service. In addition, you need to monitor the compromise of user passwords. To do this, there are automated solutions that allow you to check the appearance of a password in leaks and immediately reset it, closing access to intruders.