Sandworm Subgroup

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe.

Multi-Year Global Campaign

This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations.

Target Geographical Spread

The geographical spread of the initial access subgroup’s targets includes the whole of North America, several countries in Europe, as well as others, including Angola, Argentina, Australia, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan.

Expanding Victimology Footprint

The development marks a significant expansion of the hacking group’s victimology footprint over the past three years, which is otherwise known to be concentrated around Eastern Europe.

Past Campaigns

Ukraine-focused campaigns include:

• 2022: Energy, retail, education, consulting, and agriculture sectors
• 2023: Sectors in the United States, Europe, Central Asia, and the Middle East that provided material support to the war in Ukraine or were geopolitically significant
• 2024: Entities in the United States, Canada, Australia, and the United Kingdom

Seashell Blizzard (formerly Iridium)

Sandworm is tracked by Microsoft under the moniker Seashell Blizzard (formerly Iridium), and by the broader cybersecurity community under the names APT44, Blue Echidna, FROZENBARENTS, Grey Tornado, Iron Viking, Razing Ursa, Telebots, UAC-0002, and Voodoo Bear.

Operationally Mature

Active since at least 2013, the group is assessed to be affiliated with Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Description by Mandiant

Mandiant describes Sandworm as an "highly adaptive" and "operationally mature" threat actor that engages in espionage, attack, and influence operations. It also has a track record of mounting disruptive and destructive attacks against Ukraine over the past decade.

Leveraging Data Wipers, Pseudo-Ransomware, and Backdoors

Campaigns mounted by Sandworm in the wake of the Russo-Ukrainian war have leveraged data wipers (KillDisk aka HermeticWiper), pseudo-ransomware (Prestige aka PRESSTEA), and backdoors (Kapeka), in addition to malware families that allow the threat actors to maintain persistent remote access to infected hosts via DarkCrystal RAT (aka DCRat).

Russian Companies and Criminal Marketplaces

It has also been observed relying on a variety of Russian companies and criminal marketplaces to source and sustain its offensive capabilities, highlighting a growing trend of cybercrime facilitating state-backed hacking.

Dispersal of Disposable Capabilities

The group has used criminally sourced tools and infrastructure as a source of disposable capabilities that can be operationalized on short notice without immediate links to its past operations.

Global Reach

The subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations.

Weaponized Vulnerabilities

Attacks carried out by the subgroup involve a combination of both opportunistic "spray and pray" attacks and targeted intrusions that are designed to maintain indiscriminate access and perform follow-on actions to either expand network access or obtain confidential information.

Eight Different Known Security Vulnerabilities Exploited

A successful foothold is succeeded by the threat actor establishing persistence through three different methods – deployment of legitimate remote access software, deployment of a web shell, and malicious modifications to Outlook Web Access sign-in pages.

Expanded Campaigns

Further infrastructure analysis has uncovered a previously undocumented RDP backdoor codenamed Kalambur that’s disguised as a Windows update, and which utilizes the TOR network for command-and-control, as well as to deploy OpenSSH and enable remote access via the Remote Desktop Protocol (RDP) on port 3389.

Destabilizing Critical Infrastructure

By leveraging trojanized software to infiltrate ICS environments, Sandworm (APT44) continues to demonstrate its strategic objective of destabilizing Ukraine’s critical infrastructure in support of Russian geopolitical ambitions.

Found This Article Interesting?

Follow us on Twitter and LinkedIn to read more exclusive content we post.