Subgroup of Russia’s Sandworm compromising US and European organizations, Microsoft says

A subgroup of a notorious Russian state-backed hacking group has been running a multi-year campaign to gain initial access to dozens of strategically important organizations across the U.S. and Europe.

Microsoft’s threat intelligence team published an examination on Wednesday of the “BadPilot campaign” — an effort by a Russian group known as Sandworm, or Seashell Blizzard, to breach sectors like energy, including oil and gas, telecommunications, shipping, arms manufacturing, and the government.

Operators behind the campaign have been able to retain access to high-priority targets, helping the Russian military and government to “adapt swiftly and dynamically to the evolving geopolitical landscape,” Microsoft Threat Intelligence said, warning that the “cluster's operations present significant risk to the global community at large.”

“Given that Seashell Blizzard is Russia’s cyber tip of the spear in Ukraine, Microsoft Threat Intelligence assesses that this access subgroup will continue to innovate new horizontally scalable techniques to compromise networks both in Ukraine and globally in support of Russia’s war objectives and evolving national priorities,” Microsoft researchers said in the report. 

The subgroup’s activity has provided Russia with “expansive opportunities for niche operations and activities that will continue to be valuable over the medium term,” according to the experts. 

Sandworm, which researchers have tied to Russian Military Intelligence Unit 74455, has been active since at least 2013 and is responsible for some of Russia’s most high-profile destructive attacks, including KillDisk and FoxBlade as well as headline-grabbing incidents like NotPetya and Prestige. 

The group has been repeatedly leveraged during military conflicts and has proven to be highly-skilled at targeting critical infrastructure systems. It has played a central role in Russia’s invasion and attacks on Ukraine. 

In 2022, the U.S. State Department announced a $10 million reward for information about six hackers working within Seashell Blizzard. The six were implicated in the creation and propagation of the NotPetya malware in charges filed by the Justice Department in 2020. 

Sherrod DeGrippo, Microsoft’s director of Threat Intelligence Strategy, told Recorded Future News that the concern with the activity they identified is that it shows a significant departure from Russia’s typical operating behavior of narrowly-focused cyber operations. 

“The activity has been indiscriminate at times, affecting a wide range of industries across numerous countries and regions, well outside the borders of Ukraine,” she said. 

“Further, Russia-sponsored military threat actors are considered highly reactive to escalations within the geopolitical environment. This global exploitation activity has helped Russian Intelligence gain access to sensitive industries in numerous locations around the world.” 

Russia’s objectives

Russia has previously deployed Sandworm for espionage and information operations as well as cyber-enabled disruptions. The cluster of activity covered in the report focuses on the specific subgroup responsible for gaining initial access into targets that may support future Russian intelligence priorities.

Over the years, the operation has expanded beyond Eastern Europe into the U.S. and U.K.

“While some of the subgroup’s targeting is opportunistic, its compromises cumulatively offer Seashell Blizzard options when responding to Russia’s evolving strategic objectives,” the researchers explained. 

The group has focused on compromising internet-facing infrastructure to enable Sandworm to persist on high-value targets and support tailored network operations.

Since early 2024, Microsoft incident responders observed the hackers exploiting vulnerabilities like CVE-2024-1709 — which affects IT remote management and monitoring software ConnectWise ScreenConnect — and CVE-2023-48788, which impacts Fortinet FortiClient EMS security software. 

These operations evolved out of previous access efforts between 2021 and 2023 that focused on Ukraine and specific sectors in Central and South Asia, and the Middle East. 

In 2022, its primary focus was on the energy, retail, education, consulting, and agriculture sectors in Ukraine but the next year it expanded globally. 

“It frequently prioritized sectors that either provided material support to the war in Ukraine or were geopolitically significant,” the researchers said. 

“In 2024, while the exposure of multiple vulnerabilities likely offered the subgroup more access than ever, it appeared to have honed its focus to the United States, Canada, Australia, and the United Kingdom.”

There is some evidence that the group is somewhat opportunistic given that it was observed carrying out attacks on organizations that have no utility to Russian strategic interests. The company’s incident responders saw “significant later post-compromise activity” in targets that are strategically significant to Russia. 

Microsoft was able to tie the subgroup to Sandworm based on the tactics used, the tools deployed and distinct post-compromise activities.

“We have also observed the initial access subgroup to pursue access to an organization prior to a Seashell Blizzard-linked destructive attack,” the company said. 

“This persistent access is noted in at least three cases to have preceded select destructive attacks attributed to Seashell Blizzard, highlighting that the subgroup may periodically enable destructive or disruptive attacks.”

The group has used third-party internet scanning services to find targets and commonly exploit at least eight vulnerabilities, as follows:

• Microsoft Exchange (CVE-2021-34473) 
• Zimbra Collaboration (CVE-2022-41352) 
• OpenFire (CVE-2023-32315) 
• JetBrains TeamCity (CVE-2023-42793) 
• Microsoft Outlook (CVE-2023-23397) 
• Connectwise ScreenConnect (CVE-2024-1709) 
• Fortinet FortiClient EMS (CVE-2023-48788) 
• JBOSS (exact CVE is unknown) 

After exploiting bugs, the hackers deploy remote management tools like Atera Agent and Splashtop Remote Services to maintain their access to compromised systems. 

In some cases, the hackers inserted malicious code into otherwise legitimate sign-in portals to steal credentials like usernames and passwords — allowing them to move laterally within organizations. 

“This subgroup has leveraged exploiting a variety of recent public vulnerabilities since late 2021. This shows a focus on being agile and keeping track of new CVEs as a potential way to gain access to targets quickly,” DeGrippo explained. 

She noted that historically, Sandworm’s operations are assessed to be a key component of Russia’s overall strategy for destabilizing Western institutions and emerging or established democracies, and has been one of the lead threat actors they have seen operational in Ukraine since the 2022 invasion. 

Last year, Ukraine’s government said the group was responsible for attacks on nearly 20 energy facilities in the country in an effort to amplify the impact of Russian missile and drone strikes on critical infrastructure.

Ukraine’s computer emergency response team (CERT-UA) said the hackers deployed several new and previously known malware variants to infect energy, water and heating suppliers in 10 regions of the country in March 2024.

The group has also been implicated in attacks on Ukraine’s largest telecom, internet providers, government agencies and a popular Ukrainian military app. Google-owned Mandiant discovered in 2024 that the group established an infrastructure allowing Russian military forces to exfiltrate encrypted Telegram and Signal communications from mobile devices captured on the battlefield.