Cyber Security News

BadPilot Attacking Network Devices to Expand Russian Seashell Blizzard’s Attacks

A newly uncovered cyber campaign, dubbed “BadPilot,” has been linked to a subgroup of the Russian state-sponsored hacking collective Seashell Blizzard, also known as Sandworm.

This operation, active since at least 2021, represents a significant expansion in Russia’s cyber activities, targeting critical infrastructure globally.

According to Microsoft Threat Intelligence, the campaign focuses on compromising internet-facing systems to establish long-term persistence and enable tailored network operations.

The BadPilot subgroup employs both opportunistic and targeted techniques to infiltrate high-value sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government entities.

The campaign has leveraged vulnerabilities in widely used software systems, including Microsoft Exchange (CVE-2021-34473), Zimbra Collaboration (CVE-2022-41352), ConnectWise ScreenConnect (CVE-2024-1709), and Fortinet FortiClient EMS (CVE-2023-48788).

Exploitation of these flaws has allowed the group to scale its operations horizontally across various regions, including North America, Europe, Central Asia, and the Middle East.

Persistence and Lateral Movement

The BadPilot campaign utilizes a range of sophisticated tactics to maintain persistence within compromised networks.

These include deploying Remote Management and Monitoring (RMM) tools like Atera Agent and Splashtop Remote Services for command-and-control (C2) functions.

Seashell Blizzard’s AttacksSeashell Blizzard’s Attacks
Use of ScreenConnect to install Atera Agent

Such tools mimic legitimate software, enabling the attackers to remain undetected while executing credential theft, data exfiltration, and lateral movement.

In some cases, the subgroup has implemented ShadowLink, a bespoke utility that leverages Tor hidden services for covert access to compromised systems.

How ShadowLink avoids discovery

Additionally, the group employs web shells such as LocalOlive for command execution and secondary payload deployment.

These tools facilitate further network compromise by enabling tunneling utilities like Chisel and rsockstun.

Another notable tactic involves modifying Outlook Web Access portals with malicious JavaScript to harvest credentials in real-time.

This approach underscores the subgroup’s focus on exploiting internet-facing infrastructure for scalable yet stealthy intrusions.

Evolving Geopolitical Objectives

Initially concentrated on Ukraine and Eastern Europe, BadPilot’s scope has expanded significantly since 2022.

The campaign now targets entities in the United States, United Kingdom, Canada, and Australia.

Analysts suggest this shift reflects Russia’s evolving geopolitical priorities amid ongoing military conflicts.

The subgroup’s opportunistic “spray-and-pray” approach ensures widespread compromises that can later be tailored to meet strategic objectives.

Seashell Blizzard’s operations have historically supported Russian military intelligence objectives through espionage, information operations, and destructive cyberattacks.

The BadPilot campaign continues this trend by enabling persistent access to critical sectors that could be leveraged for future disruptions or intelligence gathering.

Organizations are urged to prioritize patch management for known vulnerabilities exploited by BadPilot.

Implementing multi-factor authentication (MFA), monitoring RMM tool usage, and employing advanced threat detection systems can help mitigate risks associated with this campaign.

Strengthening network defenses against lateral movement through endpoint detection and response solutions is also critical.

As Seashell Blizzard continues to refine its tactics for global cyber operations, vigilance remains essential for safeguarding critical infrastructure against these state-sponsored threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

13 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

13 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

14 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

14 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

15 hours ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

15 hours ago