Cyber threats evolve at an alarming pace, with state-sponsored actors continuously refining their tactics.

Our latest research uncovers a persistent and highly scalable cyber campaign—dubbed BadPilot—operated by a subgroup within the Russian threat actor Seashell Blizzard. This subgroup has been actively compromising internet-facing infrastructure worldwide to enable long-term access to high-value targets. 

A Global Threat Landscape 

This subgroup has leveraged opportunistic access methods to infiltrate organisations across diverse sectors, including energy, telecommunications, and government institutions. Their activities extend beyond traditional espionage, potentially supporting disruptive cyber operations aligned with Russia’s geopolitical objectives. 

What makes BadPilot particularly concerning is its expansive global reach. While initial operations primarily targeted Ukraine and parts of Europe, recent activity has expanded to the United Kingdom. This expansion has been facilitated through the exploitation of vulnerabilities in widely used IT management and security software, such as: 

• ConnectWise ScreenConnect (CVE-2024-1709) – a popular remote management tool. 

• Fortinet FortiClient EMS (CVE-2023-48788) – an endpoint security solution. 

These vulnerabilities have been systematically exploited to establish initial footholds, enabling further compromise through credential harvesting, command execution, and lateral movement across victim networks. 

Tactics, Techniques, and Procedures (TTPs) 

The BadPilot campaign employs a mix of sophisticated and opportunistic techniques, including: 

• Automated scanning and exploitation: The subgroup actively searches for exposed internet-facing infrastructure using scanning tools and third-party reconnaissance services. 

• Persistence mechanisms: Custom backdoors and credential theft techniques allow long-term access to compromised environments. 

• Targeted and opportunistic access: While some attacks are highly strategic, others appear indiscriminate suggesting a “spray and pray” approach to maximising access. 

 Implications for Organisations 

Seashell Blizzard’s operations pose a significant risk to critical national infrastructure. Their ability to rapidly scale exploitation efforts suggests they can pivot quickly in response to new geopolitical tensions. Organisations must take proactive steps to mitigate the risks associated with these campaigns, including: 

• Regularly patching known vulnerabilities: Prioritise critical software updates, especially for remote access tools and security solutions. 

• Implementing robust monitoring: Leverage high-quality ‘actionable’ threat intelligence to detect and respond to anomalous activity. 

• Enhancing authentication mechanisms: Multi-factor authentication (MFA) can mitigate credential-based attacks. 

The BadPilot campaign underscores the evolving nature of state-sponsored cyber threats. By exploiting common vulnerabilities at scale, this subgroup provides Seashell Blizzard with a versatile toolkit to maintain persistent access across global networks. Organisations must remain vigilant, adopting a proactive security posture to defend against these advanced threats. 

Gemserv continues to monitor and analyse such campaigns, sharing actionable intelligence to help organisations safeguard their environments.