A sophisticated cyber campaign linked to Russian state-sponsored hackers, Seashell Blizzard, has been targeting critical infrastructure worldwide, expanding beyond its initial focus on Ukraine and Eastern Europe. The campaign, dubbed BadPilot, has been active for several years and has recently begun compromising critical sectors, including energy, telecommunications, oil and gas, shipping, arms manufacturing, and government agencies.

The countries that the attackers targeted include the United States, Canada, Mexico, Argentina, Chile, Peru, Colombia, United Kingdom, Germany, France, Italy, Spain, Portugal, Netherlands, Belgium, Sweden, Norway, Denmark, Poland, Ukraine, Turkey, Switzerland, Austria, China, Mongolia, South Korea, Lebanon, Azerbaijan, Iran, Afghanistan, Pakistan, India, Oman, Myanmar, Thailand, Cambodia, Vietnam, Australia, New Zealand, South Africa, Nigeria, Egypt, and Ethiopia, among others.

As noted by Microsoft researchers, Seashell Blizzard has a notorious history of cyber warfare, being responsible for major cyber incidents such as the NotPetya ransomware attack in 2017, KillDisk in 2015, MeDoc in 2017, Prestige in 2022 and the FoxBlade malware operation in 2022.

This is an image of badpilot targetcountries ss1 — *Russian hackers practically targeted half the world. | Source: Microsoft*

The newly identified subgroup within the organisation has been actively exploiting security vulnerabilities since 2021, using stealth tactics to infiltrate high-value targets across multiple industries. These security vulnerabilities include:

Microsoft Exchange (CVE-2021-34473)
Zimbra Collaboration (CVE-2022-41352)
OpenFire (CVE-2023-32315)
JetBrains TeamCity (CVE-2023-42793)
Microsoft Outlook (CVE-2023-23397)
Connectwise ScreenConnect (CVE-2024-1709)
Fortinet FortiClient EMS (CVE-2023-48788)
JBOSS (vulnerability not known)

“In nearly all cases of successful exploitation, Seashell Blizzard carried out measures to establish long-term persistence on affected systems. This persistent access is noted in at least three cases to have preceded select destructive attacks attributed to Seashell Blizzard, highlighting that the subgroup may periodically enable destructive or disruptive attacks,” Microsoft wrote.

This is an image of seashellblizzard russia ss2 — *Seashell Blizzard operational lifecycle. | Source: Microsoft*

Once inside a system, the attackers establish persistence through remote management and monitoring (RMM) tools, web shells, and modified authentication portals. Their tactics have evolved to evade detection, making their presence on compromised networks increasingly difficult to identify and mitigate.

Researchers have observed three primary methods employed by Seashell Blizzard:

Deployment of remote management tools for persistence: In early 2024, the group adopted RMM suites such as Atera Agent and Splashtop Remote Services, disguised their activity under legitimate software and maintained long-term access and command-and-control (C2) functions. The vulnerabilities such as CVE-2024-2709 and CVE-2023-48788 provided an entry point for deploying RMM agents, which were retrieved either from legitimate sources or attacker-controlled infrastructure. Moreover, attackers utilised credential harvesting techniques such as registry-based credential access via reg.exe and procdump to further infiltrate target systems.
Use of web shells for persistence and command execution: The group has exploited Microsoft Exchange and Zimbra vulnerabilities to install web shells, notably deploying a proprietary web shell known as LocalOlive allowing file uploads, shell command execution, and network port manipulation.
Tunnelling and network manipulation for credential theft: For tunnelling, Seashell Blizzard used Chisel, Plink, and rsockstun to maintain stealthy access to compromised networks. Furthermore, researchers observed that the threat actors were modifying network resources, including Outlook Web Access (OWA) sign-in pages and DNS configurations to intercept login credentials.

Researchers also discovered a novel persistence technique, ShadowLink, leveraging Tor’s hidden services to maintain undetected access.

This is an image of seashellblizzard russia ss1 — *How ShadowLink works? | Source: Microsoft*

“ShadowLink facilitates persistent remote access by configuring a compromised system to be registered as a Tor hidden service. This is achieved using a combination of Tor service binaries and a unique actor-defined Tor configuration file (referred as the ‘torrc’) configuring the system for remote access,” researchers explained.

Instead of traditional remote access trojans (RATs), ShadowLink registers compromised systems as Tor hidden services, providing attackers with an encrypted and resilient connection channel that evades common cybersecurity monitoring techniques.

Researchers have advised organisations to regularly patch unknown vulnerabilities in enterprise software, implement advanced network monitoring and endpoint detection, and conduct security audits.

State-sponsored threat actors are more dangerous and motivated than non-state ones. This is primarily because their motives are not financial but intelligence-gathering and geopolitical. In November last year, a Chinese state-sponsored hacker group, Volt Typhoon, breached Singtel, Singapore’s largest mobile carrier.

In the News: Phishing campaign exploits search engines to steal credit card info