A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe.
“This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations,” the Microsoft Threat Intelligence team said in a new report shared with The Hacker News ahead of publication.
The geographical spread of the initial access subgroup’s targets include the whole of North America, several countries in Europe, as well as others, including Angola, Argentina, Australia, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan.
The development marks a significant expansion of the hacking group’s victimology footprint over the past three years, which is otherwise known to be concentrated around Eastern Europe –
- 2022: Energy, retail, education, consulting, and agriculture sectors in Ukraine
- 2023: Sectors in the United States, Europe, Central Asia, and the Middle East that provided material support to the war in Ukraine or were geopolitically significant
- 2024: Entities in the United States, Canada, Australia, and the United Kingdom
Sandworm is tracked by Microsoft under the moniker Seashell Blizzard (formerly Iridium), and by the broader cybersecurity community under the names APT44, Blue Echidna, FROZENBARENTS, Grey Tornado, Iron Viking, Razing Ursa, Telebots, UAC-0002, and Voodoo Bear. Active since at least 2013, the group is assessed to be affiliated with Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The adversarial collective has been described by Google-owned Mandiant as an “highly adaptive” and “operationally mature” threat actor that engages in espionage, attack, and influence operations. It also has a track record of mounting disruptive and destructive attacks against Ukraine over the past decade.
Campaigns mounted by Sandworm in the wake of the Russo-Ukrainian war have leveraged data wipers (KillDisk aka HermeticWiper), pseudo-ransomware (Prestige aka PRESSTEA), and backdoors (Kapeka), in addition to malware families that allow the threat actors to maintain persistent remote access to infected hosts via DarkCrystal RAT (aka DCRat).
It has also been observed relying on a variety of Russian companies and criminal marketplaces to source and sustain its offensive capabilities, highlighting a growing trend of cybercrime facilitating state-backed hacking.
“The group has used criminally sourced tools and infrastructure as a source of disposable capabilities that can be operationalized on short notice without immediate links to its past operations,” the Google Threat Intelligence Group (GTIG) said in an analysis.
“Since Russia’s full-scale invasion of Ukraine, APT44 has increased its use of such tooling, including malware such as DarkCrystal RAT (DCRat), Warzone, and RADTHIEF (‘Rhadamanthys Stealer’), and bulletproof hosting infrastructure such as that provided by the Russian-speaking actor ‘yalishanda,’ who advertises in cybercriminal underground communities.”
Microsoft said the Sandworm subgroup has been operational since at least late 2021, exploiting various known security flaws to obtain initial access, followed by a series of post-exploitation actions aimed at collecting credentials, achieving command execution, and supporting lateral movement.
“Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments,” the tech giant noted.
“This subgroup has been enabled by a horizontally scalable capability bolstered by published exploits that allowed Seashell Blizzard to discover and compromise numerous Internet-facing systems across a wide range of geographical regions and sectors.”
Since early last year, the sub-cluster is said to have weaponized vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788) to infiltrate targets in the United Kingdom and the United States.
Attacks carried out by the subgroup involve a combination of both opportunistic “spray and pray” attacks and targeted intrusions that are designed to maintain indiscriminate access and perform follow-on actions to either expand network access or obtain confidential information.
It’s believed that the wide array of compromises offer Seashell Blizzard a way to meet Kremlin’s ever-evolving strategic objectives, permitting the hacking outfit to horizontally scale their operations across diverse sectors as new exploits are disclosed.
As many as eight different known security vulnerabilities have been exploited by the subgroup to date,
A successful foothold is succeeded by the threat actor establishing persistence through three different methods –
- February 24, 2024 – present: Deployment of legitimate remote access software such as Atera Agent and Splashtop Remote Services, in some cases abusing the access to drop additional payloads for credential acquisition, data exfiltration, and other tools for maintaining access like OpenSSH and a bespoke utility dubbed ShadowLink that allows the compromised system to be accessible via the TOR anonymity network
- Late 2021 – present: Deployment of a web shell named LocalOlive that allows for command-and-control and serves as a conduit for more payloads, such as tunneling utilities (e.g., Chisel, plink, and rsockstun)
- Late 2021 – 2024: Malicious modifications to Outlook Web Access (OWA) sign-in pages to inject JavaScript code that can harvest and exfiltrate credentials back to the threat actor in real-time, and alter DNS A-record configurations likely in an effort to intercept credentials from critical authentication services
“This subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations,” Microsoft said.
“At the same time, Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term.”
The development comes as Dutch cybersecurity company EclecticIQ linked the Sandworm group to another campaign that leverages pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of BACKORDER, a Go-based downloader that’s responsible for fetching and executing a second-stage payload from a remote server.
BACKORDER, per Mandiant, is usually delivered within trojanized installer files and is hard-coded to execute the original setup executable. The end goal of the campaign is to deliver DarkCrystal RAT.
“Ukraine’s heavy reliance on cracked software, including in government institutions, creates a major attack surface,” security researcher Arda Büyükkaya said. “Many users, including businesses and critical entities, have turned to pirated software from untrusted sources, giving adversaries like Sandworm (APT44) a prime opportunity to embed malware in widely used programs.”
Further infrastructure analysis has uncovered a previously undocumented RDP backdoor codenamed Kalambur that’s disguised as a Windows update, and which utilizes the TOR network for command-and-control, as well as to deploy OpenSSH and enable remote access via the Remote Desktop Protocol (RDP) on port 3389.
“By leveraging trojanized software to infiltrate ICS environments, Sandworm (APT44) continues to demonstrate its strategic objective of destabilizing Ukraine’s critical infrastructure in support of Russian geopolitical ambitions,” Büyükkaya said.
