Russian Sandworm APT’s Subgroup, BadPilot, Exploits Edge Bugs on a Global Scale

February 12, 2025

Sandworm, also known as Seashell Blizzard or Military Unit 74455 within Russia's military intelligence (GRU), is a renowned advanced persistent threat (APT) group. Its infamous activities include the NotPetya attack, an assault on the 2018 Winter Olympics, and two successful attacks on Ukraine's power grid. The group has also targeted Denmark's energy sector and made attempts, both successful and unsuccessful, to disrupt Ukraine's grid.

Recently, the group has been shifting towards more pervasive, but less noticeable intrusions. Microsoft, which monitors the group under the name 'Seashell Blizzard', has identified a subgroup within 74455 that focuses solely on gaining initial access to high-value organizations across various industries and regions. This subgroup is referred to as 'BadPilot'.

Since late 2021, BadPilot has been launching opportunistic attacks against Internet-facing infrastructure by exploiting known vulnerabilities in widely used email and collaboration platforms. These include Zimbra's CVE-2022-41352, Microsoft Exchange's CVE-2021-34473, and Microsoft Outlook's CVE-2023-23397. All three vulnerabilities have been rated as 'critical' with a 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS).

BadPilot has used these vulnerabilities to gain initial access to high-value organizations such as telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and foreign government entities. The targets span from Ukraine and Europe to Central and South Asia and the Middle East. Since early 2024, BadPilot has also been accessing targets in the US and UK. For these operations, it has exploited bugs in remote monitoring and management software, including CVE-2023-48788 in the Fortinet Forticlient Enterprise Management Server (EMS), and the rare 10 out of 10 CVSS-rated CVE-2024-1709, which allows for authentication bypass in ScreenConnect by ConnectWise.

After gaining access to a targeted system, BadPilot follows the standard steps of a hacking operation. It establishes persistence using its custom 'LocalOlive' Web shell and copies of legitimate remote management and monitoring (RMM) tools, or 'ShadowLink', which configures compromised systems as Tor hidden services. It collects credentials, performs lateral movement, and exfiltrates data as needed. Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, says, 'These TTPs work because this threat actor is persistent and continues pursuing its objectives.'

BadPilot's role is to facilitate larger attacks by its parent group and, by extension, support its controlling government. While many of its activities appear opportunistic, Microsoft notes that 'its compromises cumulatively offer Seashell Blizzard options when responding to Russia's evolving strategic objectives.' The group's formation coincided with Russia's invasion of Ukraine, and it has been heavily involved in cyberattacks against organizations believed to be supporting its adversary. Microsoft also reports that the group has facilitated at least three destructive attacks in Ukraine since 2023.

DeGrippo emphasizes that these threat actors are 'persistent, creative, organized, and well-resourced.' Therefore, it's crucial for critical sectors to maintain superior security practices, update their software, monitor Internet-facing assets, and improve their overall security posture.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.