Reportseverity: High2025-02-12

Microsoft details Seashell Blizzard 'BadPilot' subgroup multi-year access ops

published by Microsoft Threat Intelligence

Actor

SandwormRU · RussiaAPT

Russian military-intelligence (GRU Unit 74455) intrusion set responsible for some of the most destructive cyberattacks publicly attributed to a nation-state: the 2015 and 2016 Ukrainian power-grid ou…

Summary

Microsoft Threat Intelligence published research on a Sandworm (Seashell Blizzard) subgroup it tracks as BadPilot, active since at least 2021, that opportunistically exploits internet-facing appliances (notably ConnectWise ScreenConnect and Fortinet FortiClient EMS since early 2024) to establish persistent access for follow-on Sandworm operations. Targets since 2024 expanded to U.S. and U.K. organizations across energy, oil and gas, telecommunications, shipping, arms manufacturing, and government.

Primary source

microsoft.com

Other Sandworm events

2020-10-19DOJ indicts six GRU Unit 74455 officers
2017-06-27NotPetya wiper outbreak via M.E.Doc supply chain
2015-12-23Coordinated attack on Ukrainian electricity distribution

Summary

Tags

Primary source

Other Sandworm events