Over the past decade, the Kremlin’s most aggressive cyber war unit, known as Sandworm, has focused its hacking campaigns on the torment of Ukraine, even more since Russian President Vladimir Putin’s full-scale invasion of Russia’s neighbor. Now Microsoft warns that a team within that notorious hacking group has shifted its target, worked indiscriminately to violate networks worldwide-and over the past year, it seems to be showing a special interest in networks in English-speaking Western countries.
On Wednesday, Microsoft’s Threat Intelligence team published new research on a group within the sandworm, which calls the analysts of the company Badpilot. Microsoft describes the team as an ‘initial entrance industry’ focused on the offense and a foothold in victim networks before handing access to other hackers within the larger organization of the sandworm, which has identified security researchers for years, as a Unit of Russia’s horror military intelligence agency, identified. After the initial offenses of bathpilot, other sandworm hackers used its intrusions to move within victim networks and perform effects such as stealing information or launching cyber attacks, Microsoft says.
Microsoft describes bathpilot as a large amount of intrusion efforts, throwing a wide net and then sorting through the results to focus on certain victims. Over the past three years, the company says, the geography of the group’s target has developed: In 2022 it brought its attractions almost entirely to Ukraine, and then broadened its burglary in 2023 to networks worldwide and then again in 2024 to the home in Home in Home in Home moved on victims in the US, UK, Canada and Australia.
“We see that they are spraying their efforts to spray, see what is coming back, and then focus on the targets they love,” says Sherrod Degrippo, Microsoft’s director of the threat intelligence strategy. “They choose and choose what makes sense to focus on. And they focus on those Western countries. “
Microsoft has not mentioned any specific victims of Badpilot’s intrusions, but broadly said that the targets of the hacker group ‘energy, oil and gas, telecommunications, shipping, arms manufacturing’ and ‘international governments’. On at least three occasions, Microsoft says, its activities have led to the destruction of cyber attacks carried out by sandworm against Ukrainian targets.
Regarding the more recent focus on Western networks, Microsoft’s degrippo indicates that the group’s interests are likely to be more related to politics. “Worldwide elections are probably a reason for that,” says Degrippo. “I think the changing political landscape is a motivator to change tactics and change targets.”
Over the more than three years that Microsoft Badpilot has detected, the group has tried to access victim networks using well -known but inappropriate vulnerabilities in software aimed at the Internet, to utilize errors in Microsoft Exchange and Outlook, as well as Applications of Openfire, Jetbrains, and Zimbra. In its focus on Western networks over the past year, Microsoft warns that Badpilot specifically utilized a vulnerability in the distance access instrument ConnectWise ScreenConnect and Fortinet Forticlient EMS, another application for the central management of Fortinet’s security software on PCs.
After utilizing the vulnerabilities, Microsoft found that Badpilot typically installs software that gives it persistent access to a victim machine, often with legal access tools such as atera agent or Splashtop remote services. In some cases, in a more unique turn, it also sets up a victim of a victim to manage as so-called onion service on the Tor Anonymity Network, which essentially transforms into a server that communicates via Tor’s Collection of proxy machines to hide its communication.