Cyber Threat Report: 'The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation'

This blog post by Microsoft Threat Intelligence describes the Seashell Blizzard intrusion set and specifically the BadPilot campaign. According to the report, Seashell Blizzard (also known as Sandworm or APT44) is a high-impact Russian state-sponsored threat actor linked to GRU Unit 74455, active since at least 2013. Known for its expertise in computer network exploitation (CNE) and disruptive cyber operations, the group has consistently targeted critical infrastructure sectors such as energy, telecommunications, and industrial control systems (ICS). Seashell Blizzard's activities align with Russian geopolitical objectives, particularly in the context of military conflicts, and leverage both custom and publicly available tools for espionage, disruptions, and long-term access. The BadPilot Campaign is describe by Microsoft as a initial access operation carried out by a subgroup within Seashell Blizzard. The campaign represents a multiyear global initiative focusing on compromising Internet-facing infrastructure. Active since at least 2021, BadPilot has enabled persistent access across sensitive sectors, including energy, oil and gas, telecommunications, shipping, arms manufacturing, and international governments. Exploiting vulnerabilities such as CVE-2024-1709 in ConnectWise ScreenConnect and CVE-2023-48788 in Fortinet FortiClient EMS, the subgroup utilizes techniques like credential harvesting, command execution, and lateral movement. It employs Remote Management and Monitoring (RMM) suites, such as Atera Agent and Splashtop, for persistence and covert command and control (C2), highlighting a stealthy and scalable approach. While some targeting is opportunistic, the campaign has facilitated broader Seashell Blizzard operations, including destructive attacks in Ukraine since 2023. The group targeted sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, and governments. Regional targets predominantly include Ukraine and Europe, with the United States and the United Kingdom also called out specifically in the report.