Introduction
A subgroup within the Russian state-sponsored hacking collective, Sandworm, has been linked to a prolonged global cyber operation known as BadPilot. This campaign, aimed at infiltrating high-value targets, has significantly broadened its scope over the past three years. According to the Microsoft Threat Intelligence team, the subgroup has compromised internet-facing infrastructures worldwide to sustain the persistence of Seashell Blizzard, a division of Sandworm, enabling tailored network operations.
Global Reach and Targets
The BadPilot campaign has extended its footprint across multiple regions, including North America, Europe, and nations such as Angola, Argentina, Australia, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan. Over the past three years, Sandworm’s victimology has expanded as follows:
2022: Energy, retail, education, consulting, and agriculture sectors in Ukraine.
2023: Key sectors in the U.S., Europe, Central Asia, and the Middle East, particularly those supporting Ukraine or of geopolitical importance.
2024: Targets in the U.S., Canada, Australia, and the United Kingdom.
Sandworm, tracked under various aliases including APT44, Blue Echidna, and Iron Viking, has been operational since at least 2013. It is believed to be affiliated with Unit 74455 of the GRU, the military intelligence agency of the Russian Federation. The group has demonstrated sophisticated cyber capabilities, conducting espionage, cyberattacks, and influence campaigns, particularly against Ukraine.
Cyber Tactics and Techniques
Sandworm has employed various cyber tools and malware in its operations, utilizing:
Data wipers such as KillDisk (HermeticWiper).
Pseudo-ransomware like Prestige (PRESSTEA).
Backdoors including Kapeka.
Commercial malware such as DarkCrystal RAT (DCRat).
To sustain its capabilities, Sandworm has sourced tools and infrastructure from criminal marketplaces, leveraging the cybercrime ecosystem for state-sponsored operations. This reliance on criminally sourced tools allows the group to deploy attacks rapidly with minimal direct attribution.
Exploited Vulnerabilities and Attack Methods
Since late 2021, the subgroup has exploited various known security vulnerabilities, including:
Microsoft Exchange Server (CVE-2021-34473, aka ProxyShell)
Zimbra Collaboration (CVE-2022-41352)
Openfire (CVE-2023-32315)
JetBrains TeamCity (CVE-2023-42793)
Microsoft Outlook (CVE-2023-23397)
Fortinet FortiClient EMS (CVE-2023-48788)
ConnectWise ScreenConnect (CVE-2024-1709)
JBOSS (CVE unknown)
Following initial infiltration, the subgroup establishes persistence through multiple methods:
Remote Access Software Deployment (2024–Present) – Use of legitimate remote access tools such as Atera Agent and Splashtop Remote Services, often modified to exfiltrate credentials and maintain prolonged access.
Web Shell Implantation (Late 2021–Present) – Deployment of a web shell, LocalOlive, enabling command execution and payload delivery.
Credential Harvesting (2021–2024) – Manipulation of Outlook Web Access (OWA) sign-in pages and DNS configurations to intercept sensitive authentication data.
Strategic Implications
Microsoft’s findings highlight that the subgroup’s operations enable Russia to maintain widespread, persistent access to global networks, particularly within critical sectors like energy, oil and gas, telecommunications, shipping, and arms manufacturing. The cyber espionage campaign serves Moscow’s broader strategic objectives by ensuring a scalable and adaptable offensive cyber capability.
Emerging Threats and Malware Deployment
Recent intelligence from EclecticIQ has linked Sandworm to additional cyber campaigns utilizing trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. These tactics have been used to deploy BACKORDER, a Go-based downloader responsible for fetching secondary payloads, including DarkCrystal RAT.
Furthermore, an RDP backdoor known as Kalambur has been identified, masquerading as a Windows update while using the TOR network for command-and-control communications. Kalambur’s functionality aligns with another malware, ShadowLink, which enables remote desktop access through TOR-hidden services.
Conclusion
The Sandworm subgroup’s BadPilot campaign demonstrates the evolving nature of state-backed cyber operations, blending sophisticated techniques with cybercriminal infrastructure to achieve geopolitical objectives. As these cyber threats continue to proliferate, international cybersecurity efforts must remain vigilant against the persistent and adaptive tactics employed by this formidable adversary.
0 Comments