BadPilot Attacking Network Devices To Expand Russian Seashell Blizzard’s Attacks
Microsoft Threat Intelligence has exposed a subgroup within the Russian state actor Seashell Blizzard, known as the “BadPilot campaign.” This subgroup has been conducting a multiyear operation to compromise Internet-facing infrastructure globally, expanding Seashell Blizzard’s reach beyond Eastern Europe. The campaign leverages opportunistic access techniques and stealthy persistence methods to collect credentials, execute commands, and […] The post BadPilot Attacking Network Devices To Expand Russian Seashell Blizzard’s Attacks appeared first on Cyber Security News.

Microsoft Threat Intelligence has exposed a subgroup within the Russian state actor Seashell Blizzard, known as the “BadPilot campaign.”
This subgroup has been conducting a multiyear operation to compromise Internet-facing infrastructure globally, expanding Seashell Blizzard’s reach beyond Eastern Europe.
The campaign leverages opportunistic access techniques and stealthy persistence methods to collect credentials, execute commands, and facilitate lateral movement within networks.
Seashell Blizzard is a high-impact threat actor linked to the Russian Federation’s Military Intelligence Unit 74455 (GRU).
Active since at least 2013, it has been involved in various operations ranging from espionage to cyber-enabled disruptions, including destructive attacks like KillDisk (2015) and NotPetya (2017).
Microsoft Threat Intelligence analysts noted that Seashell Blizzard is known for its expertise in targeting critical infrastructure such as industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA).
.webp)
The BadPilot Campaign
The BadPilot campaign has been active since at least 2021, focusing on compromising network devices to gain persistent access to high-value targets.
This subgroup has exploited numerous vulnerabilities in Internet-facing systems, including:-
- Microsoft Exchange (CVE-2021-34473)
- Zimbra Collaboration (CVE-2022-41352)
- OpenFire (CVE-2023-32315)
- JetBrains TeamCity (CVE-2023-42793)
- Microsoft Outlook (CVE-2023-23397)
- ConnectWise ScreenConnect (CVE-2024-1709)
- Fortinet FortiClient EMS (CVE-2023-48788)
- JBOSS (exact CVE unknown)
.webp)
These exploits have allowed Seashell Blizzard to access sensitive sectors globally, including energy, oil and gas, telecommunications, shipping, arms manufacturing, and international governments.
Since early 2024, the BadPilot subgroup has utilized three distinct exploitation techniques.
.webp)
First, they deploy Remote Management and Monitoring (RMM) suites like Atera Agent and Splashtop Remote Services for persistence and command and control, often after exploiting vulnerabilities in ConnectWise ScreenConnect and Fortinet FortiClient EMS.
Second, they actively exploit known vulnerabilities to compromise Internet-facing systems, using third-party scanning services to identify targets.
Finally, once inside a system, they engage in extensive post-compromise activities, including credential theft and lateral movement, which have, in some cases, resulted in destructive attacks.
The BadPilot campaign poses a significant risk to organizations worldwide, particularly those in sectors critical to Russian strategic interests.
As a result, understanding and mitigating the tactics, techniques, and procedures (TTPs) of threat actors like Seashell Blizzard is essential for protecting global networks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post BadPilot Attacking Network Devices To Expand Russian Seashell Blizzard’s Attacks appeared first on Cyber Security News.