Russian GRU-linked hackers have been exploiting known software vulnerabilities to breach critical networks across the globe, with a particular focus on the United States and the United Kingdom. The hacking group, known as Sandworm and affiliated with Russia’s GRU military intelligence unit, has been carrying out these attacks since 2021, targeting various key sectors such as energy, telecommunications, and government organizations.
According to reports from Microsoft’s Threat Intelligence team, a subgroup of Sandworm known as the “BadPilot campaign” has been responsible for these breaches. The hackers have been exploiting vulnerabilities in widely used software like ConnectWise ScreenConnect and Fortinet FortiClient EMS to gain initial access to networks and then escalate their attacks to steal credentials and gain control over valuable systems.
Initially focusing on Ukraine, Europe, Asia, and the Middle East, the group has recently expanded its operations to include the U.S. and the U.K. Microsoft’s research indicates that these breaches provide Russia with options to respond to changing strategic goals, particularly in light of the ongoing conflict in Ukraine. The hackers are also suspected of conducting destructive cyberattacks in Ukraine since 2023.
The subgroup’s tactics involve deploying tools such as remote management software and web shells to ensure long-term control over compromised networks. By using legitimate remote management agents and web shells, the hackers can maintain access while making detection more challenging. Custom utilities like ShadowLink, which configures compromised systems as hidden services on the Tor network, further complicate efforts to trace their activities.
Sandworm, linked to Russia’s military intelligence agency GRU, has a history of conducting disruptive cyberattacks, including the NotPetya attack in 2017 and the FoxBlade operation in 2022. Industry experts are concerned about the implications of the BadPilot campaign and emphasize the importance of organizations staying vigilant and implementing additional security measures to prevent breaches.
While the subgroup exploits known vulnerabilities, their advanced post-compromise tactics and sophisticated techniques make it difficult to detect and defend against their attacks. Employee training and proactive cybersecurity measures are essential for protecting against potential breaches by groups like Sandworm. Organizations of all sizes must remain aware of the evolving cybersecurity landscape and take steps to safeguard their networks against sophisticated threat actors.