Microsoft Threat Intelligence has uncovered a subgroup within the Russian state actor Seashell Blizzard, referred to as the “BadPilot campaign.” This subgroup has been conducting a multi-year operation, focusing on compromising Internet-facing infrastructure worldwide. It has expanded the reach of Seashell Blizzard beyond its typical Eastern European targets, leveraging opportunistic access techniques and maintaining stealthy persistence to collect credentials and execute commands. The group’s operations allow it to move laterally within networks, gaining access to sensitive systems and high-value targets.
Seashell Blizzard, also known for its links to the Russian Federation’s Military Intelligence Unit 74455 (GRU), has been active since at least 2013. Its past operations have spanned a range of activities from espionage to disruptive cyberattacks, including the notorious KillDisk (2015) and NotPetya (2017) attacks. The threat actor has also demonstrated expertise in targeting critical infrastructure such as industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA). This ongoing campaign is a part of their broader strategy to infiltrate crucial sectors.
The BadPilot campaign, active since 2021, exploits vulnerabilities in Internet-facing systems to maintain persistent access. The group has exploited several vulnerabilities in widely used software, including Microsoft Exchange, Zimbra Collaboration, OpenFire, and Fortinet FortiClient EMS, among others. These exploits have enabled the group to gain access to high-value sectors globally, including energy, telecommunications, arms manufacturing, and government networks.
The scope of their attack targets spans industries critical to Russian geopolitical interests.
Since 2024, the BadPilot subgroup has utilized a mix of techniques to gain and maintain access to compromised systems. These techniques include the deployment of Remote Management and Monitoring (RMM) suites like Atera Agent and Splashtop Remote Services, exploiting vulnerabilities, and using third-party scanning services to identify potential targets. Once inside the system, they engage in credential theft and lateral movement, which have at times led to destructive attacks. The increasing sophistication of these tactics highlights the growing threat to global networks, making it crucial for organizations to understand and mitigate the group’s tactics.
