Russian GRU-associated hackers have been exploiting known software vulnerabilities to gain unauthorized access to critical networks around the globe, especially targeting sectors in the United States and the United Kingdom since 2021.
A hacking collective linked to Russian military intelligence has been surreptitiously infiltrating computer networks worldwide, including those in the U.S. and U.K., by leveraging established security flaws in commonly used software applications. This extensive campaign has raised significant concerns among cybersecurity experts.
On Wednesday, Microsoft’s Threat Intelligence team disclosed findings regarding a specific subgroup within the hacking group known as Sandworm, which is alternatively referred to as Seashell Blizzard, UAC-0133, Blue Echidna, PHANTOM, BlackEnergy Lite, and APT44. According to Microsoft, dubbed the “BadPilot campaign,” this subgroup has been conducting breaches since at least 2021, exploiting vulnerabilities in systems that are accessible via the internet.
The group’s targets span various industries, including energy, telecommunications, oil and gas, shipping, arms production, and government entities. Initially focused on entities in Ukraine, Europe, and parts of Asia and the Middle East, their scope has notably expanded to encompass organizations in the U.S. and U.K. since early 2024.
The attackers utilize publicly disclosed vulnerabilities in widely adopted software, such as ConnectWise ScreenConnect and Fortinet FortiClient EMS, to establish a foothold in their target networks. Once inside, they can escalate their access, steal credentials, and take control of critical systems. Microsoft’s intel identifies several vulnerabilities that have been actively exploited by this group.
Experts at Microsoft suggest that while some targets appear arbitrary, these broad breaches afford Russia strategic maneuverability, especially in light of its ongoing geopolitical interests. Since the onset of the war in Ukraine, Russian-affiliated hackers have increasingly zeroed in on international entities that support Ukraine’s military efforts or hold geopolitical significance. This subgroup is also suspected to be linked to varying destructive cyber activities against Ukraine since 2023.
The BadPilot campaign illustrates a determined approach not only to gain access but also to maintain it over time. Once within a network, they deploy strategies that include installing remote management software and web shells to ensure longevity of control. For example, the deployment of legitimate RMM tools like Atera Agent and Splashtop Remote Services allows the attackers to simulate authorized actions, complicating detection efforts significantly. Their arsenal also includes web shells, credential-stealing methods, and DNS manipulation techniques.
Additionally, the utilization of custom tools such as ShadowLink, which can turn compromised systems into hidden services on the Tor network, presents further challenges in tracing their activities. This advanced approach highlights an evolution in post-compromise tactics, making the detection and mitigation of such threats increasingly intricate.
Sandworm, which operates under the auspices of Russia’s GRU (specifically Unit 74455), has a well-documented history of disruptive cyberattacks. Their notorious campaigns include the NotPetya attack of 2017, which caused significant worldwide damage, as well as the FoxBlade operation in 2022, targeting Ukrainian infrastructure.
In light of these revelations, industry experts are sounding alarms regarding the potential repercussions for organizations, particularly in the U.K. The findings underscore the pressing need for organizations to enhance their security postures against such sophisticated threats. Even though the BadPilot subgroup is exploiting publicly available vulnerabilities, their refined operational methods necessitate ongoing vigilance from businesses, underscoring the importance of employee training and bolstering security measures to mitigate potential breaches.