Sandworm, also known as Military Unit 74455 within Russia’s military intelligence, is a notorious advanced persistent threat that has made headlines with various cyber attacks over the years. From NotPetya to attacks on the 2018 Winter Olympics and Ukraine’s power grid, Sandworm has been at the forefront of cyber warfare. More recently, the group has targeted Denmark’s energy sector and attempted to disrupt Ukraine’s power grid again, with both successful and unsuccessful attempts.
In a shift towards quieter but more wide-reaching intrusions, Sandworm has been focusing on gaining initial access to high-value organizations across major industries and geographic regions. Microsoft has identified a subgroup within 74455 called “BadPilot,” which has been responsible for opportunistic attacks on Internet-facing infrastructure since late 2021. Using known vulnerabilities in popular email and collaboration platforms like Zimbra, Microsoft Exchange, and Microsoft Outlook, BadPilot gains initial access to telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and entities of foreign governments.
The group has expanded its targets to include the US and UK, exploiting bugs in remote monitoring and management software such as the Fortinet Forticlient Enterprise Management Server and ScreenConnect by ConnectWise. After gaining access to a targeted system, BadPilot establishes persistence using its custom “LocalOlive” web shell and copies of legitimate remote management and monitoring tools. It collects credentials, moves laterally within the network, exfiltrates data, and carries out post-compromise activities as needed.
According to Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, BadPilot’s tactics are focused on agility and achieving its goals with persistence. The group’s activities not only serve its own interests but also contribute to larger strategic objectives set by its controlling government, particularly in the context of Russia’s invasion of Ukraine. Sandworm has targeted critical infrastructure in Ukraine, including telecommunications, manufacturing, transportation, energy, military, and government organizations, as well as military communities for intelligence gathering.
The ongoing cyber threats posed by Sandworm and BadPilot underscore the importance of maintaining robust security practices in critical sectors. Organizations are urged to patch software, monitor Internet-facing assets, and enhance their overall security posture to defend against persistent and well-resourced threat actors. With the evolving landscape of cyber warfare, vigilance and preparedness are key to mitigating the impact of sophisticated and organized attacks.