Microsoft Threat Intelligence has revealed details about an extensive cyber operation conducted by a subgroup within the Russian state actor Seashell Blizzard, known as the "BadPilot campaign." The operation, active since 2021, has compromised internet-facing infrastructure worldwide to maintain persistence on high-value targets.
The campaign represents a significant expansion of Seashell Blizzard's operations beyond Eastern Europe, targeting critical sectors, including energy, oil and gas, telecommunications, shipping, and arms manufacturing, as well as international governments. Microsoft has linked this group to Russian Military Intelligence Unit 74455 (GRU).
"Since early 2024, the subgroup has expanded its range of access to include targets in the United States and United Kingdom by exploiting vulnerabilities primarily in ConnectWise ScreenConnect and Fortinet FortiClient EMS security software," Microsoft researchers noted in their findings.
The threat actor employs sophisticated techniques to establish long-term persistence, including deploying a unique tool called ShadowLink, which configures compromised systems as Tor hidden services to avoid detection.
Who is Seashell Blizzard?
Seashell Blizzard is a high-impact threat actor linked to the Russian Federation that conducts global activities on behalf of Russian Military Intelligence Unit 74455 (GRU).
Seashell Blizzard’s specialized operations have ranged from espionage to information operations and cyber-enabled disruptions, usually in the form of destructive attacks and manipulation of industrial control systems (ICS).
Active since at least 2013, this threat actor’s prolific operations include destructive attacks such as KillDisk (2015) and FoxBlade (2022), supply-chain attacks (MeDoc, 2017), and pseudo-ransomware attacks such as NotPetya (2017) and Prestige (2022)
The group has demonstrated three distinct exploitation patterns: deployment of remote management tools, web shell installation, and infrastructure modification for credential collection.
 |
| Seashell Blizzard's initial access |
According to Microsoft's research, the subgroup uses an opportunistic "spray and pray" approach to achieve compromises at scale, increasing the likelihood of acquiring access to strategically significant targets. When valuable targets are identified, the group conducts extensive post-compromise activities.
The operation has leveraged at least eight critical vulnerabilities in common server infrastructure, including Microsoft Exchange, Zimbra Collaboration, and JetBrains TeamCity. Microsoft has observed the group using various tunneling utilities and remote management software to maintain access to compromised networks.
- Microsoft Exchange (CVE-2021-34473)
- Zimbra Collaboration (CVE-2022-41352)
- OpenFire (CVE-2023-32315)
- JetBrains TeamCity (CVE-2023-42793)
- Microsoft Outlook (CVE-2023-23397)
- Connectwise ScreenConnect (CVE-2024-1709)
- Fortinet FortiClient EMS (CVE-2023-48788)
- JBOSS (exact CVE is unknown)
The group's ability to modify network resources, including Outlook Web Access sign-in pages and DNS configurations, to passively gather network credentials is particularly concerning. This technique has enabled lateral movement within targeted organizations.
Microsoft Threat Intelligence assesses that this campaign will likely continue to evolve, given Seashell Blizzard's role as "Russia's cyber tip of the spear in Ukraine."
The company emphasizes that while some targeting appears opportunistic, the compromises cumulatively offer Russia options for responding to evolving strategic objectives.
To combat this threat, Microsoft recommends organizations implement robust security measures, including multifactor authentication, network protection, and advanced endpoint detection and response capabilities.
The company actively tracks these campaigns and notifies affected customers directly when compromise is detected.