Microsoft has published its first research on a subgroup within the Russian state actor Seashell Blizzard, detailing a multiyear initial access operation tracked as the ‘BadPilot campaign.’ The subgroup has targeted internet-facing infrastructure globally since at least 2021, enabling Seashell Blizzard to maintain persistence on high-value targets and facilitate tailored network operations. Seashell Blizzard’s specialized operations have ranged from espionage to information operations and cyber-enabled disruptions, usually in the form of destructive attacks and manipulation of industrial control systems (ICS).
“Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises,” Microsoft Threat Intelligence wrote in a Wednesday blog post. “Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments.”
The post assessed that this subgroup has been enabled by a horizontally scalable capability bolstered by published exploits that allowed Seashell Blizzard to discover and compromise numerous Internet-facing systems across geographical regions and sectors.
Microsoft said that its Seashell Blizzard research overlaps with activity tracked by other security vendors such as BE2, UAC-0133, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.
Furthermore, since early 2024, the subgroup has expanded its range of access to include targets in the U.S. and the U.K. by exploiting vulnerabilities primarily in ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and monitoring software and Fortinet FortiClient EMS security software (CVE-2023-48788). These new access operations built upon previous efforts between 2021 and 2023 which predominantly affected Ukraine, Europe, and specific verticals in Central and South Asia, and the Middle East.
Microsoft detailed that due to their specialization in computer network exploitation (CNE) and expertise targeting critical infrastructure such as ICS and supervisory control and data acquisition systems (SCADA), Seashell Blizzard’s operations have frequently been leveraged during military conflicts and as an adaptable element during contentious geopolitical events. “Historically, some of Seashell Blizzard’s operations may be considered part of a spectrum of retaliatory actions sometimes used by the Russian Federation.”
Also, since Russia invaded Ukraine in 2022, Seashell Blizzard has conducted a steady stream of operations complementing Russian military objectives. The threat actor’s strategic targets in the region have included critical infrastructure such as energy and water, government, military, transportation and logistics, manufacturing, telecommunications, and other supportive civilian infrastructure.
Microsoft disclosed that since at least April 2023, Seashell Blizzard has increased targeting of military communities in the region, likely for tactical intelligence gain. Their persistent targeting of Ukraine suggests Seashell Blizzard is tasked to obtain and retain access to high-priority targets to provide the Russian military and Russian government with a range of options for future actions.
“Seashell Blizzard’s network intrusions leverage diverse tradecraft and typically employ a range of common publicly available tools, including Cobalt Strike and DarkCrystalRAT,” the post added. “Network intrusions linked to the threat actor have affected multiple tiers of infrastructure, showcasing Seashell Blizzard’s abilities to target end users, network perimeters, and vertical-specific systems leveraging both publicly available and custom exploits and methods.”
Microsoft identified that since February 2022, Seashell Blizzard has generally taken three approaches to their network intrusions – targeted, opportunistic, and hybrid. Seashell Blizzard has frequently used tailored mechanisms to access targets, including scanning and exploitation of specific victim infrastructure, phishing, and modifying legitimate functionality of existing systems to either expand network access or obtain confidential information.
Seashell Blizzard has increasingly used broad exploitation of Internet-facing infrastructure and distribution of malware implants spread through trojanized software to achieve scalable but indiscriminate access. In cases where a resulting victim is identified as strategically valuable, Microsoft Threat Intelligence has observed the threat actor conducting significant post-compromise activities.
Also, Seashell Blizzard has very likely gained access to target organizations using a limited supply-chain attack narrowly focused within Ukraine, an operation that was recently mitigated by the Computer Emergency Response Team of Ukraine (CERT-UA). Other hybrid methods have included the compromise of regionally managed IT service providers, which often afforded regional or vertical-specific access to diverse targets.
Microsoft Threat Intelligence assesses that the initial access subgroup is linked to Seashell Blizzard. Despite the subgroup’s opportunistic tactics, we can distinguish this subgroup due to its consistent use of distinct exploits, tooling, infrastructure, and late-stage methods used to establish persistence.
Moreover, the post added that its “longstanding forensic investigation uncovered distinct post-compromise activities, a part of which incorporated specific operational capabilities and resources chiefly utilized by Seashell Blizzard. We have also observed the initial access subgroup to pursue access to an organization prior to a Seashell Blizzard-linked destructive attack.”
The subgroup’s historical pattern of exploitation has also led to the compromise of globally diverse organizations that appear to have limited or no utility to Russia’s strategic interests. This pattern suggests the subgroup likely uses an opportunistic ‘spray and pray’ approach to achieving compromises at scale to increase the likelihood of acquiring access to targets of interest with limited tailored effort.
In cases where a strategically significant target is compromised, Microsoft said it has “observed significant later post-compromise activity. The geographic focus of the subgroup frequently transitions between broad campaigns against multiple geographic targets and a narrow focus on specific regions or countries, demonstrating the subgroup’s flexibility to pursue unique regional objectives.”
In its conclusion, the post noted that Seashell Blizzard serves as Russia’s leading cyber capability in Ukraine. Microsoft Threat Intelligence assesses that this access subgroup will likely continue to develop new, horizontally scalable techniques to compromise networks, both in Ukraine and globally, in alignment with Russia’s wartime objectives and shifting national priorities. “This subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations.
At the same time, it recognized that Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term.
Earlier this month, the U.S. Department of Homeland Security (DHS) reportedly issued a bulletin warning that internet-connected cameras manufactured in China could potentially be exploited for espionage targeting the nation’s critical infrastructure installations. According to the bulletin, these cameras usually lack data encryption and secure configuration settings, leaving them vulnerable to cyber threats. Additionally, the cameras are designed to communicate with their manufacturers by default, raising concerns about unauthorized data access and surveillance.
