FlagThis

A subgroup of the Russian state-sponsored hacking group APT44, also known as Seashell Blizzard and Sandworm, has been conducting a multi-year campaign named BadPilot, targeting critical organizations and governments. Microsoft's Threat Intelligence team has been researching this operation, revealing that the group aims to gain initial access to strategically important organizations across the U.S. and Europe. This campaign has been active since at least 2021, with the threat actor focusing on initial access, persistence, and maintaining presence to allow for tailored network operations.

The BadPilot hackers have expanded their focus beyond Ukraine and Eastern Europe, now including targets in the U.S. and U.K. since early 2024. Sectors affected include energy, oil and gas, telecommunications, shipping, arms manufacturing, and government entities. Microsoft assesses that while some targeting is opportunistic, the accumulated compromises offer Seashell Blizzard options when responding to Russia’s evolving strategic objectives and national priorities. The group has been exploiting vulnerabilities in ConnectWise ScreenConnect and Fortinet FortiClient EMS security software to achieve this broadened access.

ImgSrc: www.microsoft.c

References :

• therecord.media: A subgroup of Russia's Sandworm state-backed hacking group has been running a multi-year campaign to gain initial access to dozens of strategically important organizations across the U.S. and Europe
• www.bleepingcomputer.com: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
• www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
• The Hacker News: Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries
• Know Your Adversary: Microsoft Threat Intelligence have published a on Seashell Blizzard - a high-impact threat actor that conducts global activities ranged from espionage to information operations and cyber-enabled disruptions.
• BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
• securityaffairs.com: Russia-linked APT Seashell Blizzard is behind the long running global access operation BadPilot campaign
• Vulnerable U: Russian Hackers Expand Global Cyber Espionage Campaign with "BadPilot" Operation
• hackread.com: Microsoft Uncovers ‘BadPilot’ Campaign as Seashell Blizzard Targets US and UK
• Microsoft Security Blog: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
• Cybernews: Microsoft researchers expose “BadPilot,â€� a subgroup aiding Kremlin-backed hackers Seashell Blizzard in global cyberattacks
• Information Security Buzz: Russia-Linked Seashell Blizzard Intensifies Cyber Operations Against Critical Sectors
• Industrial Cyber: Microsoft details Seashell Blizzard BadPilot campaign targeting energy, telecom, government sectors
• Security Risk Advisors: Microsoft Security blog post on the BadPilot campaign.
• BleepingComputer: Infosec.exchange post regarding the BadPilot campaign and its global access operation.
• sra.io: SRA.io post discussing Seashell Blizzard's BadPilot campaign to exploit perimeter systems and expand global access.

Classification:

• HashTags: #APT44 #Sandworm #BadPilot
• Company: Microsoft
• Target: Critical Infrastructure, Governments
• Attacker: APT44
• Feature: Initial Access
• Type: APT
• Severity: Major