Russia's Sandworm caught snarfing credentials, data from American and Brit orgs

An initial-access subgroup of Russia's Sandworm last year wriggled its way into networks within the US, UK, Canada and Australia, stealing credentials and data from "a limited number of organizations," according to Microsoft.

Sandworm, the offensive cyber operations group that works for the Russian Military Intelligence Unit 74455 (GRU), has previously been linked to attacks on water facilities in the US and EU, the 2018 Winter Olympics, NotPetya, and various other destructive attacks on Ukraine's critical infrastructure.

In a report published today, Redmond says a subgroup of Sandworm (Microsoft's threat intel team tracks Sandworm as "Seashell Blizzard") has been carrying out a "near-global" initial access campaign dubbed "BadPilot" since at least 2021.

The crew uses several methods to compromise victims' internet-facing infrastructure and gain access to critical sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, and international governments. 

And while its initial focus was Ukraine, by 2023 the BadPilot campaign had achieved persistent access to "numerous" high-value sectors in the US, Europe, Central Asia and the Middle East. A year later, it "honed its focus" on US, UK, Canada and Australian victims, we're told.

"Microsoft Threat Intelligence assesses that Seashell Blizzard uses this initial access subgroup to  horizontally scale their operations as new exploits are acquired and to sustain persistent access to current  and future sectors of interest to Russia," the researchers said.

To date, the subgroup has exploited at least eight vulnerabilities affecting:

• Microsoft Exchange (CVE-2021-34473)
• Zimbra Collaboration (CVE-2022-41352)
• OpenFire (CVE-2023-32315)
• JetBrains TeamCity (CVE-2023-42793)
• Microsoft Outlook (CVE-2023-23397)
• Connectwise ScreenConnect (CVE-2024-1709)
• Fortinet FortiClient EMS (CVE-2023-48788)
• JBOSS (exact CVE is unknown)

After nearly all of its successful exploits, the intruders established persistence on compromised systems. And in at least three of these cases, this long-term access preceded destructive attacks, "highlighting that the subgroup may periodically enable destructive or disruptive attacks," Microsoft noted.

In early 2024, the subgroup began using remote management and monitoring tools for persistence and to communicate with command-and-control (C2) servers. Using these types of legitimate software tools, such as Atera Agent and Splashtop Remote Services, makes it easier for the criminals to blend in with normal network traffic and avoid detection, and Redmond says it first spotted the Russians using these RMM products after the subgroup exploited  vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788). 

• Kremlin's Sandworm blamed for cyberattacks on US, European water utilities
• Despite Russia warnings, Western critical infrastructure remains unprepared
• Two Russians sanctioned over cyberattacks on US critical infrastructure
• Sandworm's Kyivstar attack should serve as a reminder of the Kremlin crew's 'global reach'

After compromising orgs in the US, UK, Canada and Australia, "it is highly likely that Seashell Blizzard conducted post-compromise activity at only a limited number of organizations that were part of this initial victim pool," the threat intel team said.

Having wormed their way into the network, the Russians got to work installing the RMM software, and then using those tools' native functionality to deploy secondary payloads to steal credentials, exfiltrate sensitive data, and upload custom utilities to give them more access to the compromised systems.

"In these cases, Seashell Blizzard deployed OpenSSH with a unique public key, allowing them to access compromised systems using an actor-controlled account and credential, in addition to a unique persistence and assured C2 method known to Microsoft Threat Intelligence as ShadowLink," according to the research.

ShadowLink gives the snoops persistent remote access by configuring the victim's system to be registered as a Tor hidden service. Compromised systems receive a [.]onion address, so the attackers can remotely access them via the Tor network. 

And this means Sandworm doesn't have to deploy a Remote Access Trojan (RAT) that can be more easily spotted and kicked off the network by security teams. 

Another GRU-linked group that Microsoft tracks as Forest Blizzard (aka Fancy Bear) has also used similar Tor-based services in their attacks. ®