Full Report
A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.' [...]
Analysis Summary
# Threat Actor: Sandworm (Associated with BadPilot Network Hacking Campaign)
## Attribution & Identity
The threat actor is identified as **Sandworm**, a Russian hacker subgroup supported by the **BadPilot network hacking campaign**. The article also refers to the subgroup as **APT44**. This actor has a "near-global reach" and is linked to expanding the geographical targeting of Seashell Blizzard.
## Activity Summary
Sandworm has been actively involved in extensive hacking operations targeting internet-facing infrastructure, credential theft, and supply chain attacks.
* **Recent Focus (2024):** Started using legitimate IT remote management tools (Atera Agent, Splashtop Remote Services) to execute commands and mimic IT administrators to evade security measures.
* **Supply Chain Exploitation:** Highly effective use of supply chain attacks, specifically targeting regionally managed IT service providers (MSPs) in Europe and Ukraine to gain access to those providers' multiple clients.
* **Novel Technique (2024):** Routing traffic through the **Tor network** to hide inbound connections, cloaking both actor and victim environments from exposure.
* **General Operations:** Performs lateral movement, modifies infrastructure (DNS configuration, new services, scheduled tasks), and establishes backdoor access via OpenSSH with unique public keys.
## Tactics, Techniques & Procedures
- **Initial Access via Vulnerability Exploitation:** Exploiting known vulnerabilities in widely used systems:
- CVE-2021-34473 (Microsoft Exchange)
- CVE-2022-41352 (Zimbra Collaboration Suite)
- CVE-2023-32315 (OpenFire)
- CVE-2023-42793 (JetBrains TeamCity)
- CVE-2023-23397 (Microsoft Outlook)
- CVE-2024-1709 (ConnectWise ScreenConnect)
- CVE-2023-48788 (Fortinet FortiClient EMS)
- **Persistence:** Deployment of custom web shells, specifically 'LocalOlive'.
- **Defense Evasion:** Using legitimate IT remote management tools (Atera Agent, Splashtop Remote Services) to blend in as IT administrative traffic.
- **Credential Access/Theft:** Using **Procdump** or manipulating the **Windows registry** to steal credentials.
- **Exfiltration:** Use of **Rclone, Chisel, and Plink** to move data through covert network tunnels.
- **Command and Control (C2):** Traffic routed through the **Tor network**.
- **Persistence/Backdoors:** Configuration of backdoor access using **OpenSSH** with unique public keys.
- **Network Modification:** Manipulation of DNS configurations, creation of new services, and scheduling new tasks.
## Targeting
- **Sectors:** Organizations utilizing the vulnerable software listed above, particularly organizations targeted through managed IT service providers.
- **Geography:** Described as having **"near-global reach,"** with specific emphasis noted on operations targeting **Europe and Ukraine**.
- **Victims:** Regionally managed **IT service providers** (as a vector) and their subsequent clients.
## Tools & Infrastructure
- **Malware families used:** Custom web shells ('LocalOlive').
- **Legitimate Tools Abused:** Atera Agent, Splashtop Remote Services, Procdump, Rclone, Chisel, Plink.
- **Infrastructure (C2, domains, IPs):** Traffic routed through the **Tor network** for obfuscation. Backdoor configuration via **OpenSSH**.
## Implications
Sandworm remains a highly adaptive and sophisticated threat, leveraging zero-day/n-day vulnerabilities (as evidenced by the list of recent CVEs exploited) and combining them with legitimate remote administration tools to maintain persistence and evade modern detection methods. Their focus on MSPs demonstrates a strategic move to maximize impact through supply chain compromise, allowing them to pivot into multiple critical networks across Europe and Ukraine simultaneously. The use of Tor significantly increases the difficulty of tracing and blocking command-and-control communications.
## Mitigations
- Implement immediate patching for all cited vulnerabilities across affected infrastructure:
- Microsoft Exchange (CVE-2021-34473)
- Zimbra Collaboration Suite (CVE-2022-41352)
- OpenFire (CVE-2023-32315)
- JetBrains TeamCity (CVE-2023-42793)
- Microsoft Outlook (CVE-2023-23397)
- ConnectWise ScreenConnect (CVE-2024-1709)
- Fortinet FortiClient EMS (CVE-2023-48788)
- Monitor for the deployment of custom web shells like 'LocalOlive'.
- Tighten monitoring and governance over the use of legitimate remote management tools (Atera Agent, Splashtop) to distinguish legitimate administrative activity from actor intrusion.
- Implement strong credential hygiene and monitor for credential dumping techniques involving Procdump or registry manipulation.
- Enhance outbound network monitoring to detect data exfiltration attempts using protocols associated with Rclone, Chisel, or Plink, especially if traffic appears masked or tunneled.
- Improve defenses against lateral movement, focusing on DNS changes and the unauthorized creation of new services or scheduled tasks.
- Defend against OpenSSH backdoors by ensuring strict management of public keys used for access.
- Researchers are advised to use provided hunting queries, IoCs, and YARA rules (as mentioned in the source) for detection.