BadPilot Attacking Network Devices to Expand Russian Seashell Blizzard’s Attacks

A newly uncovered cyber campaign, dubbed “BadPilot,” has been linked to a subgroup of the Russian state-sponsored hacking collective Seashell Blizzard, also known as Sandworm.

This operation, active since at least 2021, represents a significant expansion in Russia’s cyber activities, targeting critical infrastructure globally.

According to Microsoft Threat Intelligence, the campaign focuses on compromising internet-facing systems to establish long-term persistence and enable tailored network operations.

- Advertisement -

The BadPilot subgroup employs both opportunistic and targeted techniques to infiltrate high-value sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government entities.

The campaign has leveraged vulnerabilities in widely used software systems, including Microsoft Exchange (CVE-2021-34473), Zimbra Collaboration (CVE-2022-41352), ConnectWise ScreenConnect (CVE-2024-1709), and Fortinet FortiClient EMS (CVE-2023-48788).

Exploitation of these flaws has allowed the group to scale its operations horizontally across various regions, including North America, Europe, Central Asia, and the Middle East.

Persistence and Lateral Movement

The BadPilot campaign utilizes a range of sophisticated tactics to maintain persistence within compromised networks.

These include deploying Remote Management and Monitoring (RMM) tools like Atera Agent and Splashtop Remote Services for command-and-control (C2) functions.

Such tools mimic legitimate software, enabling the attackers to remain undetected while executing credential theft, data exfiltration, and lateral movement.

In some cases, the subgroup has implemented ShadowLink, a bespoke utility that leverages Tor hidden services for covert access to compromised systems.

Additionally, the group employs web shells such as LocalOlive for command execution and secondary payload deployment.

These tools facilitate further network compromise by enabling tunneling utilities like Chisel and rsockstun.

Another notable tactic involves modifying Outlook Web Access portals with malicious JavaScript to harvest credentials in real-time.

This approach underscores the subgroup’s focus on exploiting internet-facing infrastructure for scalable yet stealthy intrusions.

Evolving Geopolitical Objectives

Initially concentrated on Ukraine and Eastern Europe, BadPilot’s scope has expanded significantly since 2022.

The campaign now targets entities in the United States, United Kingdom, Canada, and Australia.

Analysts suggest this shift reflects Russia’s evolving geopolitical priorities amid ongoing military conflicts.

The subgroup’s opportunistic “spray-and-pray” approach ensures widespread compromises that can later be tailored to meet strategic objectives.

Seashell Blizzard’s operations have historically supported Russian military intelligence objectives through espionage, information operations, and destructive cyberattacks.

The BadPilot campaign continues this trend by enabling persistent access to critical sectors that could be leveraged for future disruptions or intelligence gathering.

Organizations are urged to prioritize patch management for known vulnerabilities exploited by BadPilot.

Implementing multi-factor authentication (MFA), monitoring RMM tool usage, and employing advanced threat detection systems can help mitigate risks associated with this campaign.

Strengthening network defenses against lateral movement through endpoint detection and response solutions is also critical.

As Seashell Blizzard continues to refine its tactics for global cyber operations, vigilance remains essential for safeguarding critical infrastructure against these state-sponsored threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free