A subgroup of Russia’s Sandworm APT has been actively working to gain initial and persistent access to the IT networks of organizations in various economic sectors that are of interest to Russia. Microsoft’s researchers revealed on Wednesday that in 2022, the group’s primary focus was on Ukraine, targeting sectors such as energy, retail, education, consulting, and agriculture. By 2023, they expanded their reach globally, obtaining persistent access in multiple sectors across the United States, Europe, Central Asia, and the Middle East. In 2024, their focus shifted towards countries including the United States, Canada, Australia, and the United Kingdom.
Sandworm, also known as “Seashell Blizzard,” is a threat group linked to the Russian Military Intelligence Unit 74455 (GRU). Over the years, they have been responsible for destructive attacks such as KillDisk and NotPetya. In 2020, the US indicted six GRU officers believed to be members of the Sandworm group.
The tactics, techniques, and procedures (TTPs) employed by the Sandworm initial access subgroup involve utilizing public scan databases to exploit vulnerable Internet-facing infrastructure. They initially deploy web shells for persistence and later started using legitimate remote monitoring and management (RMM) tools like Atera Agent and Splashtop Remote Services. These tools allow them to deploy additional tools for stealing and exfiltrating credentials. To ensure added persistence, they register compromised systems as Tor hidden services, allowing remote access via the Tor network.
The subgroup has been observed carrying out unique post-compromise activities in certain cases, indicating a focus on durable persistence and direct access. They deploy OpenSSH with a unique public key for access to compromised systems. They also modify network resources such as Outlook Web Access (OWA) sign-in pages and DNS configurations to intercept credentials for lateral movement.
Microsoft researchers suggest that the subgroup has used a “spray and pray” approach to achieve compromises, targeting organizations even with limited or no strategic utility to Russia. However, when strategically significant targets are compromised, there is often significant post-compromise activity observed. Actual targets have included organizations in sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and international governments.
The far-reaching and opportunistic access methods employed by the subgroup provide Russia with expansive opportunities for niche operations and activities, which will likely remain valuable in the medium term. Microsoft has released indicators of compromise, mitigation and protection guidance, as well as threat hunting queries to help organizations defend against potential Seashell Blizzard activity in the future.
Overall, the Sandworm APT subgroup’s activities highlight the ongoing threat posed by cyber espionage and the importance of implementing strong cybersecurity measures to protect critical infrastructure and sensitive information from such sophisticated adversaries. It is essential for organizations to remain vigilant and proactive in detecting and mitigating potential cyber threats to safeguard their digital assets and minimize the risk of security breaches.