A subgroup of the Russian state-sponsored hacking group, Seashell Blizzard, has been targeting critical infrastructure organizations and governments around the world for years, authorities have warned.
The campaign, dubbed 'BadPilot' by Microsoft's Threat Intelligence Team, saw the group gain access to targets across a number of sensitive sectors, including energy, oil and gas, telecommunications, shipping, and arms manufacturing, as well as national governments.
Seashell Blizzard has, since Russia’s invasion of Ukraine in 2022, carried out a steady stream of operations complementing Russian military objectives. These have ranged from espionage to information operations and cyber-enabled disruption, usually in the form of destructive attacks and manipulation of industrial control systems.
The BadPilot campaign marks an expansion of Seashell Blizzard's activities beyond Ukraine and Eastern Europe, to focus on the US, the UK, Canada, and Australia over the last year.
However, as well as establishing access to targets outside Ukraine, Microsoft researchers warned the subgroup appears to have enabled at least three destructive cyber attacks in Ukraine since 2023.
"Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises," researchers said.
BadPilot targets popular software platforms
The campaign has exploited a number of vulnerabilities in internet-facing systems, researchers noted.
This includes popular platforms such as Microsoft Exchange, Zimbra Collaboration, OpenFire, JetBrains TeamCity, Microsoft Outlook, ConnectWise ScreenConnect, Fortinet FortiClient EMS, and JBOSS, using opportunistic access techniques and stealthy persistence.
After gaining initial access, the group then engages in credential collection, command execution, and lateral movement, leading to substantial network compromises and enabling destructive cyber attacks.
Simon Phillips, CTO of SecureAck, said the campaign reaffirms the “growing uptake in exploitation of internet-facing” systems and warned organizations should take the opportunity to strengthen patch management capabilities.
"The threat landscape has evolved beyond script kiddies and financially driven attackers; state-sponsored actors are now a serious reality,” he said. “The biggest concern is how stolen intelligence is being used to enhance these attacks and support their overall agendas."
Microsoft researchers predict that the newly-discovered subgroup will continue to introduce new, innovative, and ‘horizontally scalable’ techniques aimed at escalating attacks on networks globally.
"This discovery is alarming for UK organizations as it highlights how Russian state-sponsored actors are exploiting CVEs to infiltrate networks, conduct surveillance and launch attacks," Phillips said.
"Cyber crime is now closely tied to geopolitical tensions, so it’s no surprise BadPilot has been carrying out serious attacks against the West. However, the real concern is that these operations remained largely unnoticed until Microsoft published these findings."
MORE FROM ITPRO
