Over the past decade, the most aggressive unit of the Kremlin cyber war, known as Sandworm, has focused its hacking campaigns on Ukraine’s doom, even more than Russian President Vladimir Putin’s full attack on Russian neighbor. Now Microsoft warns that the team in which the infamous hacking group has changed targeted targeting illegally to violate world networks-and looks a particular interest in last year Networks have shown in Western English countries.
On Wednesday, the Microsoft Threat Intelligence Team released a new investigation into a group of sandworms that the company analysts call Badpilot. Microsoft the team as “initial access operation” focusing on violations and gaining positions in the victim’s networks before transferring access to other hackers in the larger Sando Organization, which security researchers for years as the GRU Military Intelligence Agency unit Russia is known, described. After the initial violation of Badpilot, other sand cream hackers have used their disturbances to move to victims and perform effects such as theft of information or launching cyber attacks, Microsoft says.
Microsoft describes Badpilot as the beginning of a large volume of intrusion efforts, playing a wide network, and then sorting on results to focus on specific victims. Over the past three years, the group says the group’s targeting geography has evolved: In 2022, it was almost completely on Ukraine, then expanded its hack to networks around the world in 2023. , And then in 2024 he was moved home and placed at home. In the case of the victims of the United States, Britain, Canada and Australia.
“We see that they see their efforts for initial access and see what comes back, and then focuses on their intended goals,” says Sherrod Degrippo. They choose and choose what is reasonable to focus on it. And they focus on those Western countries. “
Microsoft did not name any specific victims of Badpilot harassment, but extensively stated that the hacker group’s targets include “energy, oil and gas, communications, transportation, weapons production and” international governments “. Microsoft says , At least three times, its operation has resulted in cyber attacks by the sand cream against Ukraine’s targets.
Regarding the recent focus on Western networks, Microsoft’s DeGripPo stated that the group’s interests were probably more related to politics. “The World Elections are probably a reason for it,” says Dogpo. “I think that changing the political outlook is an incentive to change tactics and change goals.”
During more than three years that Microsoft has tracked Badpilot, the group seeks to obtain victim networks using known but unused vulnerabilities in the Internet software, exploiting hacking in Exchange and Outlook and There are also applications from OpenFire, JetBrain. , And Zimbra. Microsoft warns Western networks in particular over the past year, warning that Badpilot has specifically used vulnerability in the Connect Vise Screenconnect and Fortinet Forticlient EMS, another central management program Fortinet security software on PCs.
After exploiting these vulnerabilities, Microsoft found that Badpilot typically installs software that gives it continuous access to a victim’s device, often with legal distance access tools such as Atera Agent or Ray Services Around Splashtop. In some cases, in a more unique and unique, it also sets a victim’s computer to run as a so -called onion service on the anonymous tour network, originally converting it to a server that through the collection Proxy devices communicate to hide their communications.
