Full Report
A team Microsoft calls BadPilot is acting as Sandworm's “initial access operation,” the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia.
Analysis Summary
# Threat Actor: Sandworm (BadPilot sub-unit)
## Attribution & Identity
Sandworm is identified as the Kremlin's "most aggressive cyberwar unit," historically associated with Russia’s GRU military intelligence agency.
**Known Aliases and Associated Groups:**
* **BadPilot:** A specific team/sub-unit within Sandworm tracked by Microsoft, described as an "initial access operation."
* **Seashell Blizzard:** Another name Microsoft uses to refer to the broader Sandworm group.
## Activity Summary
BadPilot operates as an initial access broker for the larger Sandworm organization. They conduct high-volume intrusion attempts globally, sort through successful breaches, and then hand off access to other Sandworm elements for follow-on actions like data theft or disruptive cyberattacks.
**Historical Activities and Campaigns:**
* **Over the last decade:** Sandworm has focused heavily on tormenting Ukraine, including carrying out electrical utility attacks resulting in blackouts.
* **NotPetya:** The group is associated with the release of the NotPetya malware, which caused at least $10 billion in global damage.
* **Wiper Attacks:** Sandworm has used wiper malware to destroy networks in Ukraine both before and after the 2022 invasion.
* **2022 Targeting:** Primarily focused on Ukraine.
* **2023 Targeting:** Broadened hacking campaigns to networks worldwide.
* **2024 Targeting:** Shifted focus toward victims in the US, UK, Canada, and Australia.
* **Ukrainian Espionage (Separate Campaign tracked by EclecticIQ):** Since late 2023, a Sandworm campaign targeted Ukrainian government networks using Trojanized Microsoft KMS activation tools distributed via Bittorrent.
## Tactics, Techniques & Procedures
**Initial Access/Exploitation:**
* Exploiting known but unpatched vulnerabilities in internet-facing software.
* Exploitation of flaws in Microsoft Exchange and Outlook.
* Exploitation of flaws in OpenFire, JetBrains, and Zimbra applications.
* Recently exploited vulnerabilities in Connectwise ScreenConnect (remote access tool) and Fortinet FortiClient EMS.
* **(Ukrainian Targeting):** Utilizing malware-infected Windows piracy tools distributed via Bittorrent.
**Persistence/C2:**
* Installing legitimate remote access tools for persistent access (e.g., Atera Agent or Splashtop Remote Services).
* Setting up victim computers to run as an onion service on the Tor anonymity network to hide communications.
**Other TTPs:**
* **(Ukrainian Espionage):** Installation of Dark Crystal RAT for cyberespionage.
* **Disruption:** Known history of causing blackouts by targeting electric utilities; use of wiper malware.
**MITRE ATT&CK IDs:** (None explicitly mentioned in the text)
## Targeting
**Sectors:**
* Energy
* Oil and Gas
* Telecommunications
* Shipping
* Arms Manufacturing
* International Governments
**Geography:**
* **Historically:** Primarily Ukraine.
* **Most Recently (2024):** United States (US), United Kingdom (UK), Canada, and Australia.
* **General:** Worldwide (2023).
**Victims:**
* No specific Western victims were named in the BadPilot report.
* Ukrainian targets have suffered data-destroying cyberattacks following BadPilot intrusions.
* Ukrainian government networks targeted in the separate espionage campaign.
## Tools & Infrastructure
**Malware Families Used:**
* Atera Agent (Legitimate remote access tool used for persistence)
* Splashtop Remote Services (Legitimate remote access tool used for persistence)
* Dark Crystal RAT (Used in Ukrainian espionage campaign)
* NotPetya (Associated historical malware)
* Wiper malware (Historical use)
**Infrastructure:**
* Utilizes the **Tor anonymity network** for C2 by turning compromised victim machines into onion services.
## Implications
BadPilot’s actions are highly concerning because they represent the initial infiltration phase for Sandworm, a state-sponsored group known for destructive cyber warfare (blackouts, NotPetya, wipers). While current BadPilot activity on Western networks appears limited to early-stage espionage and resource gathering, the group’s established history means the potential for highly disruptive follow-on actions remains a deep concern, possibly linked to evolving global political landscapes and elections.
## Mitigations
* Immediately patch known vulnerabilities, specifically those in Microsoft Exchange/Outlook, OpenFire, JetBrains, Zimbra, Connectwise ScreenConnect, and Fortinet FortiClient EMS.
* Monitor networks for the deployment of legitimate remote access tools such as Atera Agent or Splashtop Remote Services if not authorized.
* Investigate and monitor for unusual network traffic utilizing the Tor anonymity network originating from internal endpoints.
* For Ukrainian networks, be wary of Trojanized Windows piracy tools distributed via peer-to-peer sharing methods like Bittorrent.