FOCUS MODE
EXTRACT IOC
Threat Research

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security Blog

Securonix
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security Blog
Microsoft has revealed insights into a subgroup of the Russian state actor Seashell Blizzard, known for its “BadPilot campaign.” This group has been active since at least 2021 and utilizes a variety of opportunistic access techniques to compromise global infrastructure, primarily focusing on sensitive sectors such as energy and telecommunications. Their activities raise significant security concerns and offer Russia strategic options amid ongoing geopolitical tensions. Affected: Energy sector, Telecommunications sector, Shipping, Arms manufacturing, Governments, International organizations

Keypoints :

  • Seashell Blizzard operates under the Russian military intelligence unit GRU, focusing on espionage and disruptive actions globally.
  • The group has shifted its targeting from primarily Eastern Europe to a more global scope, including the U.S. and the U.K.
  • Recent vulnerabilities exploited include CVE-2024-1709 (ConnectWise ScreenConnect) and CVE-2023-48788 (Fortinet FortiClient EMS).
  • Seashell Blizzard has likely conducted at least three destructive cyberattacks in Ukraine since 2023.
  • The subgroup leverages various techniques including credential collection, command execution, and lateral movement for extensive network compromises.
  • Operational tactics include deployment of remote management tools to maintain persistence and command and control capabilities.
  • The group has a history of using custom exploits and recognized vulnerabilities to gain access to sensitive networks.
  • Microsoft is actively monitoring Seashell Blizzard’s campaigns and notifies affected organizations to help them secure their systems.

MITRE Techniques :

  • Execution (T1203): Utilizing vulnerabilities in software like ConnectWise ScreenConnect (CVE-2024-1709) for command execution.
  • Persistence (T1071): Deployment of Remote Management and Monitoring (RMM) tools like Atera Agent for continued access.
  • Credential Access (T1003): Methods such as registry-based credential access and memory dumping from processes for credential collection.
  • Exploitation (T1203): Exploiting public vulnerabilities in Internet-facing infrastructure to gain initial access.
  • Exfiltration (T1041): Using tools like rclone.exe for data exfiltration from compromised systems.
  • Command and Control (T1071): Establishing remote access via compromised services, including methods like ShadowLink for Tor-based access.

Indicator of Compromise :

  • [IP Address] 103.201.129.130
  • [IP Address] 104.160.6.2
  • [IP Address] 195.26.87.209
  • [Actor-controlled Email Address] akfcjweiopgjebvh@proton.me
  • [Actor-controlled Email Address] miccraftsor@outlook.com

Full Story: https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

Tags: PERSISTENCE, EDR, LATERAL MOVEMENT, GOVERNMENT, SPAM, COLLECTION, HUNTING, EXFILTRATION