Shifts in Cyber Targeting: Sandworm’s BadPilot Unit Expands Focus
In recent developments, Microsoft has issued a warning regarding a faction of the notorious Russian hacking group Sandworm, known as BadPilot. This unit has notably shifted its focus from Ukraine to a broader range of targets across English-speaking Western nations, a change that has raised eyebrows within the cybersecurity community.
Microsoft’s threat intelligence team has characterized BadPilot as an “initial access operation,” primarily engaged in breaching networks to establish a foothold before transferring that access to other members of Sandworm, which is linked to Russia’s GRU military intelligence agency. The group’s modus operandi involves executing a high volume of intrusion attempts, casting a wide net to identify potential victims, and subsequently narrowing their focus based on the results.
Over the past three years, BadPilot’s geographical targeting has evolved significantly. Initially concentrated on Ukraine in 2022, the group expanded its operations in 2023 to encompass networks worldwide. By 2024, their focus has shifted again, now honing in on targets in the United States, the United Kingdom, Canada, and Australia. Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy, noted, “They’re picking and choosing what makes sense to focus on. And they are focusing on those Western countries.”
While Microsoft has refrained from naming specific victims, it has indicated that BadPilot’s targets span various sectors, including energy, oil and gas, telecommunications, shipping, arms manufacturing, and international governments. Notably, Microsoft has documented instances where Sandworm has executed data-destroying cyberattacks against Ukrainian entities, underscoring the group’s aggressive tactics.
DeGrippo suggested that the group’s recent interest in Western networks may be politically motivated, particularly in light of global elections and the shifting political landscape. This context appears to have influenced their tactical adjustments and target selection.
For over three years, BadPilot has leveraged known vulnerabilities in internet-facing software to gain access to victim networks. Their methods include exploiting flaws in widely used applications such as Microsoft Exchange, Outlook, and others from OpenFire, JetBrains, and Zimbra. In the past year, the group has specifically targeted vulnerabilities in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, which is used for managing Fortinet’s security software.
Upon breaching these networks, BadPilot typically installs software that ensures persistent access to the compromised machines. This often involves legitimate remote access tools like Atera Agent or Splashtop Remote Services. In a more unusual tactic, they have also configured victims’ computers to function as onion services on the Tor network, obscuring their communications through a series of proxy machines.
In a separate report, the cybersecurity firm EclecticIQ has identified another hacking campaign linked to Sandworm, utilizing a malware-infected Windows piracy tool distributed via Bittorrent to infiltrate Ukrainian government networks. In these instances, hackers have employed a remote access tool named Dark Crystal RAT for cyberespionage purposes.
The presence of Sandworm, referred to by Microsoft as Seashell Blizzard, is particularly concerning due to the group’s history of disruptive cyber operations. Sandworm has been implicated in multiple blackouts affecting Ukraine’s electric utilities—an unprecedented occurrence attributed to hacking. Additionally, the group was responsible for the NotPetya malware attack, which caused extensive global damage estimated at billion, and has executed targeted wiper malware attacks across Ukrainian networks both prior to and following the 2022 invasion.
As of now, Microsoft has not observed any indications that BadPilot intends to escalate its activities beyond espionage in its targeting of Western networks. DeGrippo remarked, “This seems very early in terms of initial resource gathering, trying to get this much persistent access.” However, she emphasized the potential implications of BadPilot’s association with a group known for its highly disruptive cyberattacks, stating, “Therefore, the potential actions that they could take next is of deep concern.”
