Seashell Blizzard

Seashell Blizzard is an intrusion set tracked by Microsoft that has been active since at least 2013 and is known for its high-impact cyber operations. The groups activity overlaps with UAC-0133, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.

Seashell Blizzard is a Russian state-sponsored actor, linked to the GRU's Unit 74455. The group has targeted critical infrastructure sectors such as energy, telecommunications, and industrial control systems (ICS). The group employs diverse tactics, techniques, and procedures (TTPs), including spear phishing, supply chain attacks, and the use of custom tools like KillDisk, NotPetya, and Industroyer. Their operations often align with Russian military objectives, particularly during geopolitical conflicts, as evidenced by their persistent targeting of Ukraine and other regions providing military or political support to Ukraine.

Attribution to Seashell Blizzard is supported by their consistent use of GRU-linked infrastructure, tools, and operational patterns. The BadPilot campaign carried out by Seashell Blizzard highlights the group's ability to conduct global access operations, exploiting vulnerabilities in IT management software like ConnectWise ScreenConnect and Fortinet FortiClient EMS. These campaigns have expanded Seashell Blizzard's reach to sectors in the United States, United Kingdom, and other geopolitically significant regions. The group's focus on critical infrastructure and its use of horizontally scalable techniques underscore its strategic importance to Russian cyber operations.

aka.ms

https://aka.ms/threatactors

www.microsoft.com

https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/