A multi-year first entry operation dubbed BadPilot, which stretched across the globe, has been linked to a subgroup within the legendary Russian state-sponsored malware group known as Sandworm.
The Microsoft Threat Intelligence group stated in a new statement shared with The Hacker News that” this group has conducted globally various compromises of Internet-facing network” to allow Seashell Blizzard to maintain high-value targets and support customized network operations.
The geographical spread of the first entry subgroup’s goals include the whole of North America, some countries in Europe, as well as others, including Angola, Argentina, Australia, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan.
The victimology footprints of the hackers group has significantly increased over the past three decades, which is usually known to be concentrated around Eastern Europe.
- 2022: Energy, financial, education, consulting, and agriculture sectors in Ukraine
- 2023: Businesses in the United States, Europe, Central Asia, and the Middle East that provided material support to the war in Ukraine or were geopolitically major
- 2024: Institutions in the United States, Canada, Australia, and the United Kingdom
Sandworm is tracked by Microsoft under the moniker Seashell Blizzard ( formerly Iridium ), and by the broader cybersecurity community under the names APT44, Blue Echidna, FROZENBARENTS, Grey Tornado, Iron Viking, Razing Ursa, Telebots, UAC-0002, and Voodoo Bear. Since at least 2013, the organization has been deemed to be affiliated with Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation ( GRU).
The hostile community has been by Google-owned Mandiant as an “highly responsive” and “operationally mature” risk artist that engages in espionage, assault, and influence operations. Additionally, it has a history of launching disruptive and damaging strikes against Ukraine over the past ten years.
In addition to malware families that permit the threat actors to maintain to infected hosts via (aka DCRat ), Sandworm has used data wipers ( aka HermeticWiper ), pseudo-ransomware ( aka PRESSTEA ), and backdoors ( ).
It has also been observed that it relies heavily on a variety of Russian businesses and judicial marketplaces to supply and maintain its offensive capabilities, which is a sign that cybercrime is becoming more common and making it easier for state-backed hacking.
According to an analysis from the Google Threat Intelligence Group ( GTIG),” the team has used criminally sourced tools and equipment as a source of disposable features that can be operationalized on short notice without having to have fast connections to its previous operations.”
” Since Russia’s full-scale invasion of Ukraine, APT44 has increased its use of such tooling, including malware such as DarkCrystal RAT (DCRat ), , and ( ‘ Rhadamanthys Stealer ‘), and bulletproof hosting infrastructure such as that provided by the Russian-speaking actor ‘ yalishanda,’ who advertises in cybercriminal underground communities”.
Microsoft claimed that the Sandworm subgroup has been operational since at least late 2021, utilizing a number of well-known security flaws to gain initial access, followed by a number of post-exploitation actions aimed at gathering credentials, achieving command execution, and facilitating lateral movement.
” Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments”, the tech giant noted.
” This subgroup has been made possible by published exploits that made it possible for Seashell Blizzard to discover and compromise numerous Internet-facing systems across a variety of geographical regions and sectors,” according to the statement.
Since early last year, the sub-cluster is said to have weaponized vulnerabilities in ConnectWise ScreenConnect ( ) and Fortinet FortiClient EMS ( ) to infiltrate targets in the United Kingdom and the United States.
The subgroup’s attacks involve a mix of targeted intrusions and opportunistic” spray and pray” attacks designed to maintain indiscriminate access and carry out follow-on actions to either expand network access or obtain confidential information.
The range of compromises, according to experts, give Seashell Blizzard a chance to achieve the Kremlin’s constantly evolving strategic goals, allowing the hacking outfit to horizontally expand its operations across various sectors as new exploits are discovered.
To date, the subgroup has exploited eight different known security flaws.
The threat actor establishes persistence through three different strategies: ( 1 ) establishing a successful foothold; ( 2 ) establishing persistence by using three different techniques;
- February 24, 2024 – 2024: Implementation of legitimate remote access tools like Atera Agent and Splashtop Remote Services, in some cases abusing the access to drop additional payloads for credential acquisition, data exfiltration, and other tools for maintaining access, such as OpenSSH and a specialized utility dubbed ShadowLink that makes the compromised system accessible via the TOR anonymity network.
- Late 2021 – present: Deployment of a web shell named LocalOlive that allows for command-and-control and serves as a conduit for more payloads, such as tunneling utilities ( e. g., Chisel, plink, and rsockstun )
- Late 2021 to 2024: Malicious changes to Outlook Web Access ( OWA ) sign-in pages that could encrypt and send credentials directly to the threat actor, alter DNS A-record configurations, and attempt to intercept credentials from crucial authentication services
This subgroup, which is characterized by its near-global reach within the wider Seashell Blizzard organization, represents an expansion in both the geographic targeting conducted by Seashell Blizzard and the scope of its operations, according to Microsoft.
” At the same time, Seashell Blizzard’s ambitious, opportunistic access strategies are likely to give Russia numerous opportunities for niche operations and activities that will be valuable over the medium term.”
The Sandworm group was linked to another campaign that uses pirated Microsoft Key Management Service ( ) activators and fake Windows updates to release a new version of BACKORDER, a Go-based downloader that is responsible for obtaining and carrying out a second-stage payload from a remote server, according to Dutch cybersecurity firm EclecticIQ.
BACKORDER, per Mandiant, is usually ed within trojanized installer files and is hard-coded to execute the original setup executable. Delivering is the campaign’s ultimate goal.
“Ukraine’s heavy reliance on cracked software, including in government institutions, creates a major attack surface”, security researcher Arda Büyükkaya . ” Many users, including businesses and critical entities, have turned to from untrusted sources, giving adversaries like Sandworm ( APT44 ) a prime opportunity to embed malware in widely used programs”.
Further analysis of the infrastructure has identified a previously undiscovered RDP backdoor codenamed Kalambur that is used for command-and-control, deploys OpenSSH, and enable remote access via the Remote Desktop Protocol ( RDP ) on port 3389.
” By leveraging trojanized software to infiltrate ICS environments, Sandworm ( APT44 ) continues to demonstrate its strategic objective of destabilizing Ukraine’s critical infrastructure in support of Russian geopolitical ambitions”, Büyükkaya said.