Microsoft researchers uncover the “BadPilot campaign,” a threat subgroup working behind the scenes to support the Krelmin-backed hacking cartel Seashell Blizzard, responsible for years of persistent attacks on high-value targets worldwide.
The Seashell Blizzard subgroup has been responsible for running the long-term BadPilot cyber campaign since at least 2021, Microsoft Threat Intelligence researchers revealed in a blog post on Thursday.
The Kremlin-linked hackers have been aggressively targeting high-value targets and internet-facing infrastructure worldwide as a way to expand Russia’s cyber reach far beyond Eastern Europe, Microsoft said.
Previously linked to Russia’s Military Intelligence Unit 74455 (GRU), Seashell Bizzard has historically focused on espionage, cyber-disruptions, and attacks on critical infrastructure, particularly in Ukraine.
“Since April 2022, Russia-aligned threat actors have increasingly targeted international organizations that are either geopolitically significant or provide military and/or political support to Ukraine,” Microsoft said.
But now, Microsoft says the BadPilot subgroup has broadened its scope, infiltrating critical infrastructure organizations in energy, telecommunications, shipping, and arms manufacturing, as well as targeting government sectors worldwide.
Since early 2024, the subgroup has been observed targeting US and UK-based entities by exploiting vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) IT remote management and monitoring software and Fortinet FortiClient EMS security software EMS (CVE-2023-48788) to gain initial access into its target systems.
Simon Phillips, Chief Technology Officer (CTO) at security automation firm SecureAck, pointed out that the threat landscape has evolved beyond script kiddies and financially driven attackers. "State-sponsored actors are now a serious reality," he explains.
"This discovery is alarming for UK organizations as it highlights how Russian state-sponsored actors are exploiting CVEs to infiltrate networks, conduct surveillance, and launch attacks,” Phillips said.
The research states that these "new access operations have been built upon previous efforts between 2021 and 2023, which primarily affected Ukraine, Europe, and key industries in Central and South Asia, as well as the Middle East.”
Opportunistic and Strategic
Known for using diverse attack methods, researchers say BadPilot’s adaptability has allowed Seashell Blizzard to easily pivot between broad campaigns and precisely focused attacks.
And, while some of the group's hacking efforts appear to be opportunistic – exploiting security weaknesses at scale – Microsoft warns that these breaches provide Russia with a menu of cyber options aligned with its evolving strategic goals.
“Their persistent targeting of Ukraine suggests Seashell Blizzard is tasked to obtain and retain access to high-priority targets to provide the Russian military and Russian government a range of options for future actions, “ Microsoft said.
What’s more, the SeaShell Blizzard is said to have been frequently deployed during military conflicts and contentious geopolitical events, and may actually “be considered part of a spectrum of the Russian Federations’ retaliatory actions.”
Microsoft is publishing research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the undefinedBadPilot campaignundefined. https://t.co/hQgVpstRGl
undefined Microsoft Threat Intelligence (@MsftSecIntel) February 12, 2025
“Cybercrime is now closely tied to geopolitical tensions, so it’s no surprise BadPilot has been carrying out serious attacks against the West. However, the real concern is that these operations remained largely unnoticed until Microsoft published these findings,” said Phillips.
“The biggest concern is how stolen intelligence is being used to enhance these attacks and support their overall agendas," he added.
The Russian hackers are said to use a mix of publicly available tools, such as Cobalt Strike and DarkCrystalRAT, custom network exploits, and multi-layered attacks to compromise network perimeters, infiltrate end-user systems, and manipulate industrial control systems (ICS) and SCADA networks.
Here is a breakdown of the types of attacks carrde out by Seashell Blizzard:
- Targeted attacks using scanning and exploitation of specific victim infrastructure, phishing, and modifying existing systems to either expand network access or obtain confidential information.
- Opportunistic attacks using exploitation of Internet-facing infrastructure, distribution of malware via trojanized software, and conducting significant post-compromise activities.
- Hybrid attacks (especially focused on organizations within Ukraine) such as limited supply-chain attacks and compromise of regional managed IT service providers.
In support of Seashell Blizzard
Active since at least 2013, Microsoft says Seashell Blizzards’s “prolific operations include destructive attacks such as KillDisk (2015) and FoxBlade (2022), supply-chain attacks (MeDoc, 2017), and pseudo-ransomware attacks such as NotPetya (2017) and Prestige (2022).”
Detailing the BadPilot's recently observed tactics, techniques, and procedures (TTPs), Microsoft observed several distinct exploitation patterns in Seashell Blizzard’s overall arsenal, including:
- Deployment of remote management and monitoring (RMM) suites for persistence and command and control (February 24, 2024 – present)
- Web shell deployment for persistence and C2 (late 2021 – present)
- Modification of infrastructure to expand network influence through credential collection (late 2021 – 2024)
Masters at gaining initial access, once inside, BadPilot is known for carrying out persistent and lateral movement within networks which have led to substantial regional network compromises, Microsoft said.
Microsoft further believes BadPilot’s actions may have contributed to numerous destructive cyberattacks in Ukraine since 2023, specifically targeting the nation’s energy, retail, education, consulting, and agriculture sectors.
Microsoft also notes that the group’s post-breach tactics have also evolved, making detection and response more challenging for targeted industries.
Microsoft, which is actively tracking Seashell Blizzard and its subgroup, urges businesses and governments to stay vigilant against this persistent and still-evolving threat by hardening network systems. This includes strengthening the operating environment and anti-virus configuration, continuously monitoring network activity for signs of compromise, and having robust endpoint detection, among other things.
Phillips further explains that the tactics used by the group “only reaffirm a growing uptake in the exploitation of internet-facing infrastructure for gaining access to enterprise networks,” adding that organizations must use this as a catalyst to strengthen their systems, highlighting the need for continuous patch management.
“Given the volumes of vulnerabilities, automating patch deployment is essential because, without it, organizations are playing catchup, often missing critical patches and leaving themselves exposed to attack," he said.
Your email address will not be published. Required fields are markedmarked