The BadPilot campaign: Multiyear global access operation

Feb. 13, 2025, 10:13 a.m.

Description

A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tactics include deploying web shells, modifying network resources, and using remote management tools for persistence and command and control. The campaign has expanded Seashell Blizzard's geographical reach beyond Eastern Europe, targeting organizations in the US, UK, Canada, and Australia. The subgroup's activities enable Russia to respond to evolving strategic objectives and provide options for future actions.

External References

https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
https://otx.alienvault.com/pulse/67ad20d5eebfab02de73ce33
Tags
persistence
credential theft
CVE-2024-1709
CVE-2021-34473
vulnerability exploitation
CVE-2023-42793
CVE-2023-48788
initial access
2025-02-12
CVE-2023-23397
CVE-2023-32315
badpilot
russian state actor
global operation
localolive
CVE-2022-41352
remote management
shadowlink

Date

  • Created: Feb. 12, 2025, 10:29 p.m.
  • Published: Feb. 12, 2025, 10:29 p.m.
  • Modified: Feb. 13, 2025, 10:13 a.m.

Attack Patterns

  • ShadowLink
  • LocalOlive
  • Seashell Blizzard

Additional Informations

  • Energy
  • Defense
  • Transportation
  • Telecommunications
  • Government
  • Manufacturing
  • Australia
  • Canada
  • United Kingdom of Great Britain and Northern Ireland
  • Ukraine
  • United States of America