Full Report
A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. "This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the
Analysis Summary
# Threat Actor: Sandworm (A Subgroup within)
## Attribution & Identity
**Primary Attribution:** Russian state-sponsored hacking group affiliated with Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
**Known Aliases/Associations:** Seashell Blizzard (Microsoft moniker, formerly Iridium), APT44, Blue Echidna, FROZENBARENTS, Grey Tornado, Iron Viking, Razing Ursa, Telebots, UAC-0002, and Voodoo Bear (various community trackers).
**Status:** Described as "highly adaptive" and "operationally mature," engaging in espionage, attack, and influence operations.
## Activity Summary
The focus of the article is a **multi-year initial access operation dubbed BadPilot** conducted by a specific subgroup of Sandworm, operational since at least late 2021. This operation involved globally diverse compromises of internet-facing infrastructure. Sandworm has a history of destructive attacks against Ukraine, including using data wipers (KillDisk/HermeticWiper) and pseudo-ransomware (Prestige/PRESSTEA). More recently, a subgroup has been observed leveraging criminally sourced tools and infrastructure to maintain persistence. Another linked campaign uses pirated Microsoft KMS activators and fake Windows updates to deliver the BACKORDER downloader, ultimately aiming to deploy DarkCrystal RAT against Ukrainian targets.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting vulnerabilities in internet-facing infrastructure. Specifically noted recent exploitation of ConnectWise ScreenConnect ([CVE-2024-1709]) and Fortinet FortiClient EMS ([CVE-2023-48788]).
- **Post-Exploitation:** Collecting credentials, achieving command execution, and enabling lateral movement.
- **Delivery Mechanism:** Trojanized installer files, pirated software activators (KMS), and fake Windows updates used to deliver initial payloads (e.g., BACKORDER).
- **Persistence/Remote Access:** Deployment of backdoors like Kapeka and DarkCrystal RAT (DCRat).
- **Network Evasion/C2:** Use of the TOR network for C2 communication and deployment of an RDP backdoor ("Kalambur" disguised as a Windows update).
- **Destructive Capabilities (Historical/Associated):** Use of data wipers (KillDisk) and pseudo-ransomware (Prestige).
## Targeting
**Sectors:** Energy, retail, education, consulting, agriculture, oil and gas, telecommunications, shipping, arms manufacturing, international governments, and ICS environments (in Ukraine).
**Geography:** Globally diverse, including North America (US, Canada), Europe, and countries like Angola, Argentina, Australia, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan. Recent focus on entities providing material support to the war in Ukraine or those geopolitically significant.
**Victims:** Entities in critical infrastructure, government institutions, and international organizations across the globe.
## Tools & Infrastructure
- **Malware Families Used:**
- DarkCrystal RAT (DCRat)
- Kapeka (Backdoor)
- BACKORDER (Go-based downloader)
- KillDisk
- Prestige (PRESSTEA)
- Warzone
- RADTHIEF (Rhadamanthys Stealer)
- **Infrastructure:**
- Bulletproof hosting infrastructure provided by Russian-speaking actors (e.g., 'yalishanda').
- C2 utilizing the TOR network (for the Kalambur backdoor).
- Deployment of an RDP backdoor (Kalambur) listening on port 3389.
- Reliance on criminally sourced tools and infrastructure.
## Implications
Sandworm's BadPilot operation shows a significant expansion of its geographical footprint and victimology beyond its usual focus on Eastern Europe, indicating a strategic effort to gain persistent, global initial access. The increased reliance on criminally sourced tools demonstrates a blurring of lines between state-sponsored activity and cybercrime, allowing the actor to operationalize disposable capabilities quickly and maintain plausible deniability. The targeting of critical infrastructure and geopolitically significant entities confirms their alignment with Russian state objectives, focused on espionage and destabilization operations.
## Mitigations
- Harden and monitor internet-facing infrastructure against exploit attempts, specifically patching vulnerabilities associated with ConnectWise ScreenConnect ([CVE-2024-1709]) and Fortinet FortiClient EMS ([CVE-2023-48788]).
- Implement strict controls and monitoring over the use of pirated or untrusted software (especially KMS activators and fake updates), which presents a significant attack surface in Ukrainian environments.
- Deploy network monitoring capable of detecting TOR network usage for C2 traffic, especially outbound connections on non-standard ports or known TOR exit nodes.
- Enhance credential hygiene and monitor for lateral movement indicative of DCRat or RDP abuse attempts (Port 3389).