In recent developments, Microsoft’s security team has issued a warning regarding a faction of the infamous Russian cyber warfare unit, Sandworm. This subgroup, identified as BadPilot, has expanded its focus from targeting Ukraine to a broader range of networks globally, with a notable increase in activity directed at English-speaking Western nations following the escalation of geopolitical tensions initiated by Russia’s invasion of Ukraine.
Research from Microsoft details how BadPilot operates as an “initial access operation,” aiming to infiltrate organizational networks and establish a foothold. Once access is secured, this group passes control to other hackers within Sandworm, a unit long recognized as affiliated with Russia’s GRU (Main Intelligence Directorate). Microsoft analysts assert that after BadPilot’s breaches, subsequent operations conducted by Sandworm hackers exploit these initial entries to conduct a variety of malicious activities, including data theft and cyberattacks.
According to Microsoft’s findings, BadPilot has rapidly increased its intrusion attempts, applying a technique of widespread probing before honing in on selected victims. Over the past three years, the geographical targets have evolved significantly. In 2022, efforts were nearly exclusively directed at Ukraine; however, this scope expanded in 2023 to include networks internationally, culminating in a more targeted approach in 2024 aimed at organizations in the United States, the United Kingdom, Canada, and Australia.
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, noted that the group’s tactics reflect a strategic shift in priorities. By casting a broad net to gauge potential vulnerabilities before selectively narrowing down focus, BadPilot exemplifies a calculated approach to cyber intrusion, particularly towards prominent Western countries.
While Microsoft did not disclose specific organizations that have fallen victim to BadPilot, it indicated the group’s targets encompass critical infrastructure sectors, including energy, oil and gas, telecommunications, shipping, arms manufacturing, and various international governments. Notably, Microsoft’s research has linked BadPilot’s activities to at least three data-destroying cyber incidents against Ukrainian targets, highlighting the unit’s destructive capabilities.
The recent pivot to Western networks appears politically motivated, with DeGrippo suggesting that upcoming global elections may have influenced this strategic adjustment. The evolving political landscape seems to play a significant role in the group’s redirection of tactics and objectives.
Over the course of Microsoft’s monitoring, BadPilot has effectively exploited known vulnerabilities in widely used internet-accessible software, particularly those associated with Microsoft Exchange, Outlook, and third-party applications like OpenFire, JetBrains, and Zimbra. Recent spikes in activity targeting Western entities have specifically utilized vulnerabilities in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, crucial software for security management.
Upon breaching networks, BadPilot frequently installs software designed to maintain ongoing access to compromised systems. This often involves legitimate remote access solutions such as Atera Agent or Splashtop Remote Services. In some instances, the group has implemented more sophisticated methods by configuring affected machines to serve as onion services on the Tor network, thereby obfuscating communication and enhancing their operational security.
In conclusion, as organizations assess their cybersecurity posture, understanding the methods and motivations of adversaries like BadPilot is essential. The potential application of MITRE ATT&CK framework tactics, including initial access, persistence, and exploitation of vulnerabilities, emphasizes the need for robust cybersecurity measures to protect against evolving threats in a rapidly changing digital landscape.
