Russian state threat group shifts focus to US, UK targets

A subgroup of Seashell Blizzard has shifted its focus to targets in the U.S., Canada, Australia and the U.K. within the past year, expanding the scope of its malicious activity, Microsoft’s threat intelligence team said in a report released Wednesday.

The initial-access operation, which Microsoft tracks as the “BadPilot campaign,” has allowed the Russian state threat group — commonly known as Sandworm, which operates on behalf of the Russian Military Intelligence Unit 74455 (GRU) — to establish long-term persistence on affected systems to steal credentials, execute commands and achieve lateral movement since at least 2021.

The subgroup’s activities enabled at least three destructive cyberattacks in Ukraine since 2023, but additional capabilities and publicly available exploits for internet-facing systems provided the subgroup with access to more opportunistic targets that don’t appear to align with Russia’s strategic interests, according to Microsoft. 

“The concern with the activity we identified is that it shows a significant departure from Russia’s typical operating behavior of narrowly-focused cyber operations,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, said in an email.

“The activity has been indiscriminate at times, affecting a wide range of industries across numerous countries and regions, well outside the borders of Ukraine,” she added.

The subgroup gained access to a broader range of targets in the U.S. and U.K. since early 2024 by primarily exploiting vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClientEMS (CVE-2023-48788), according to Microsoft.

The subgroup’s altered operations and widened targeting indicate a “spray and pray” approach that has allowed it to achieve compromises at scale, increasing the probability of gaining access to targets of strategic interest to Russia with limited tailored effort, Microsoft said in the report.

Microsoft’s threat researchers observed significant post-compromise activity in cases when the subgroup acquired access to a target of strategic importance. 

“This global exploitation activity has helped Russian intelligence gain access to sensitive industries in numerous locations around the world,” DeGrippo said. “Historically, Seashell Blizzard’s operations are assessed to be a key component of Russia’s overall strategy for destabilizing western institutions and emerging or established democracies, and has been one of the lead threat actors we see operational in Ukraine since the 2022 invasion.”

Microsoft said the BadPilot campaign has enabled Seashell Blizzard to obtain access to global targets supporting critical infrastructure sectors, including energy, oil and gas, telecommunications, weapons manufacturing and international governments. The company’s threat intelligence team did not provide details about how many organizations have been impacted by the subgroup’s activities or the types of sectors compromised in the U.S. and U.K.

“This subgroup has leveraged exploiting a variety of recent public vulnerabilities since late 2021, this shows a focus on being agile and keeping track of new CVEs as a potential way to gain access to targets quickly,” DeGrippo said.

Microsoft threat researchers have tracked the subgroup’s exploits to at least eight vulnerabilities in server infrastructure commonly used in the perimeters of small office/office and enterprise networks. Those exploits include CVE-2021-34473 in Microsoft Exchange, CVE-2022-41352 in Zimbra Collaboration, CVE-2023-32315 in Openfire, CVE-2023-42793 in JetBrains TeamCity, CVE-2023-23397 in Microsoft Outlook, CVE-2024-1709 in ConnectWise ScreenConnect, CVE-2023-48788 in Fortinet FortiClientEMS and an unknown vulnerability in JBoss.

All but one of the known exploited vulnerabilities are critical on the CVSS scale. Seashell Blizzard is also tracked by other security vendors as UAC-0113, BE2, Blue Echidna, PHANTOM, BlackEnergy Lite and APT44.

Microsoft described Seashell Blizzard as “Russia’s cyber tip of the spear in Ukraine,” and said the subgroup within the Russian state threat group will likely offer Russia expansive opportunities for niche operations and activities over the medium term.