A sophisticated subgroup of the Russian state-sponsored hacking group APT44 (also known as ‘Seashell Blizzard’ and ‘Sandworm’) has been conducting a widespread cyber campaign dubbed ‘BadPilot’ since 2021. Microsoft’s Threat Intelligence team has revealed that this operation primarily targets critical organizations and government institutions worldwide.

Target Sectors and Evolution
The campaign initially focused on Ukraine, Europe, Central and South Asia, and the Middle East, targeting:
– Energy and oil/gas sectors
– Telecommunications
– Shipping
– Arms manufacturing
– Government institutions
– Military facilities
– Transportation and logistics

Following Russia’s invasion of Ukraine in 2022, the group intensified its operations, expanding to the United States, United Kingdom, Canada, and Australia by 2024.

Attack Methodology
The hackers employ multiple sophisticated techniques:
1. Exploitation of known vulnerabilities in systems like Microsoft Exchange, Zimbra, and ConnectWise
2. Supply chain attacks targeting IT service providers
3. Credential theft
4. Deployment of custom web shells
5. Use of legitimate IT remote management tools

Post-Compromise Activities
Once access is gained, the group:
– Establishes persistent network presence
– Conducts lateral movement
– Performs data exfiltration through covert channels
– Modifies infrastructure configurations
– Routes traffic through Tor network for concealment

Microsoft’s analysis indicates that this APT44 subgroup maintains “near-global reach” and serves as a crucial component in Russia’s cyber operations, enabling both intelligence gathering and destructive attacks against critical infrastructure worldwide.