On the last Decade, the most aggressive cyber war unit of the Kremlin, known as the sandworm, has concentrated its hacking campaigns on the set of Ukraine, even more since the large-scale invasion of the Russian President Vladimir Putin of the neighbor of Russia. Now Microsoft warns that a team within this notorious hacking group has moved targeting, working without discrimination to violate networks in the world – and, in the past year, seemed to show a particular interest in networks in English -speaking Western countries.
On Wednesday, Microsoft’s intelligence team has published new research on a group of sandworms that company analysts call Badpilot. Microsoft describes the team as an “initial access operation” focused on violation and footing in victims networks before putting this access to other hackers within the wider sandworm organization, than Security researchers have for years like a unit of Russia of the military intelligence agency of the Gru de Russia Military’s GRU. After the initial Badpilot violations, other sand pirates used its intrusions to move to victims networks and make effects such as the flight of information or the launch of cyber attacks, says Microsoft.
Microsoft describes Badpilot as initiating a high volume of intrusion attempts, throwing a large net, then sorting the results to focus on particular victims. In the past three years, according to the company, the geography of the targeting of the group has evolved: in 2022, it fixed the obstruction almost entirely on Ukraine, then extended its pirat on the victims in the United States, in the United Kingdom, Canada and Australia.
“We see them spraying their attempts at initial access, see what comes back, then focus on the targets they like,” said Sherrod Degrippo, director of intelligence strategy on Microsoft’s threats. “They choose and choose what is logical on which to concentrate. And they focus on these Western countries. »»
Microsoft did not appoint any specific victim of Badpilot’s intrusions, but largely declared that the targets of the pirate group included “energy, oil and gas, telecommunications, shipping, weapons manufacturing” and “international governments”. At least three times, says Microsoft, its operations have led to destructive cyber attacks of the data carried out by sandworms against Ukrainian targets.
As for the most recent accent on Western networks, Microsoft Degrippo suggests that the group’s interests have probably been more linked to politics. “The global elections are probably a reason for this,” says Degrippo. “This changing political landscape, I think, is a motivator to change tactics and change the targets.”
During the more than three years that Microsoft followed Badpilot, the group sought to access victims networks using known but not corrected vulnerabilities in Internet -oriented software, exploiting pirative defects in Microsoft Exchange and Outlook, as well as Openfire, Jetbrains and Zimbra applications. In its targeting of Western Networks in the past year in particular, Microsoft warns that Badpilot specifically exploited a vulnerability in the Connectwise Scrastect and Fortinet Forticlient EMS Remote Access Tool, another application to manage the safety software Central Fortinet on PCs.
After having exploited these vulnerabilities, Microsoft noted that Badpilot generally installs software which gives it persistent access to a victim machine, often with legitimate distance access tools such as the ATERA agent or the distant services of Splashtop. In some cases, in a more unique turn, he also sets up the computer of a victim to perform as so-called onion service on the Anonymity Tor network, transforming it essentially into a Server that communicates via the Torxy Proxy Machines collection to hide its communications.
