Microsoft reveals that a Russian hacking group known as Sandworm has broadened its attacks beyond Ukraine, targeting English-speaking Western countries.
Over the last decade, the Kremlin's most aggressive cyberwar unit, known as Sandworm , has focused its hacking campaigns on tormenting Ukraine , even more so since Russia n president Vladimir Putin's full-scale invasion of Russia 's neighbor.
Now Microsoft is warning that a team within that notorious hacking group has shifted its targeting, indiscriminately working to breach networks worldwide—and, in the last year, has seemed to show a particular interest in networks in English-speaking Western countries. On Wednesday, Microsoft's threat intelligence team published new research into a group within Sandworm that the company’s analysts are calling BadPilot. Microsoft describes the team as an “initial access operation” focused on breaching and gaining a foothold in victim networks before handing off that access to other hackers within Sandworm’s larger organization, which security researchers have for years identified as a unit of Russia’s GRU military intelligence agency. After BadPilot's initial breaches, other Sandworm hackers have used its intrusions to move within victim networks and carry out effects such as stealing information or launching cyberattacks, Microsoft says. Microsoft describes BadPilot as initiating a high volume of intrusion attempts, casting a wide net and then sorting through the results to focus on particular victims. Over the last three years, the company says, the geography of the group's targeting has evolved: In 2022, it set its sights almost entirely on Ukraine, then broadened its hacking in 2023 to networks worldwide, and then shifted again in 2024 to home in on victims in the US, the UK, Canada and Australia. “We see them spraying out their attempts at initial access, seeing what comes back, and then focusing on the targets they like,” says Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy. “They’re picking and choosing what makes sense to focus on. And they are focusing on those Western countries.” Microsoft didn't name any specific victims of BadPilot's intrusions, but broadly stated that the hacker group's targets have included “energy, oil and gas, telecommunications, shipping, arms manufacturing,” and “international governments.” On at least three occasions, Microsoft says, its operations have led to data-destroying cyberattacks carried out by Sandworm against Ukrainian targets. As for the more recent focus on Western networks, Microsoft's DeGrippo hints that the group's interests have likely been more related to politics. “Global elections are probably a reason for that,” DeGrippo says. “That changing political landscape, I think, is a motivator to change tactics and to change targets.” Over the more than three years that Microsoft has tracked BadPilot, the group has sought to gain access to victim networks using known but unpatched vulnerabilities in internet-facing software, exploiting hackable flaws in Microsoft Exchange and Outlook, as well as applications from OpenFire, JetBrains, and Zimbra. In its targeting of Western networks over the last year in particular, Microsoft warns that BadPilot has specifically exploited a vulnerability in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, another application for centrally managing Fortinet's security software on PCs. After exploiting those vulnerabilities, Microsoft found that BadPilot typically installs software that gives it persistent access to a victim machine, often with legitimate remote access tools like Atera Agent or Splashtop Remote Services. In some cases, in a more unique twist, it also sets up a victim's computer to run as so-called onion service on the Tor anonymity network, essentially turning it into a server that communicates via Tor's collection of proxy machines to hide its communications. Another, separate report Tuesday from the cybersecurity firm EclecticIQ pointed to an entirely distinct hacking campaign that firm also ties to Sandworm. Since late 2023, EclecticIQ found the hacker group has used a malware-infected Windows piracy tool, distributed via Bittorrent, to breach Ukrainian government networks. In those cases, EclecticIQ found, the hackers have installed a remote access tool called Dark Crystal RAT to carry out cyberespionage. Any sign of Sandworm, which Microsoft refers to by the name Seashell Blizzard, raises alarms in part because the group has a history of hacking operations that go far beyond mere spying. Over the last decade, the group has caused at least three blackouts by targeting electric utilities in Ukraine—still the only such hacker-induced blackouts in history. The group also released the NotPetya malware that spread worldwide and did at least $10 billion in damage, and it used wiper malware to destroy countless networks in more targeted attacks across Ukraine both before and after the 2022 invasion
Sandworm Badpilot Hacking Cyberattacks Russia GRU Ukraine Microsoft Cybersecurity Western Countries
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Disney Shifts DEI Focus to Business Goals Amid Cultural ShiftsDisney has announced changes to its diversity, equity, and inclusion (DEI) initiatives, prioritizing business objectives and company values. The company will also revise content advisory disclaimers and alter the evaluation process for executive compensation.
Read more »
GM Cuts Cruise Workforce by Half as Robotaxi Unit Shifts to GM SubsidiaryGeneral Motors is streamlining its autonomous vehicle efforts by reducing the Cruise robotaxi workforce by approximately 50%. Following a $10 billion investment and years of development, GM has decided to refocus its autonomous driving strategy on personal vehicles.
Read more »
PowerWash Simulator Developer Shifts Focus Away From VRFuturLab, the developer behind PowerWash Simulator, is discontinuing support for new VR content on Meta Quest. While the company remains passionate about VR, they are reallocating their VR team to other projects due to profitability concerns. This decision highlights the current challenges faced by VR gaming, as it remains a niche market.
Read more »
Wall Street Mixed as Investors Rotate Out of Tech, Focus Shifts to India's RupeeThe Dow Jones Industrial Average surged on Tuesday, while the Nasdaq Composite slipped as investors shifted away from technology stocks. The focus now turns to the Indian rupee, which hit a record low against the U.S. dollar.
Read more »
BART Shifts Departure Times to Improve Safety, Reduce TransfersBART is adjusting departure times starting Monday to enhance safety and minimize transfer waits between BART and other Bay Area transit systems. The aim is to synchronize with agencies such as the Golden Gate Ferry System, Caltrain, SMART train, and Valley Transportation Authority. This change also coincides with a major construction project to replace BART's outdated train control system, expected to reduce delays and allow for more frequent train service.
Read more »
Seattle Prepares for Potential Policy Shifts Under Trump AdministrationSeattle city officials are taking proactive steps to address potential policy changes under the incoming Trump administration, focusing on immigration, abortion access, and LGBTQ+ protections. The city council, in collaboration with various offices, reviewed existing local and state laws designed to safeguard these communities. Officials are anticipating executive orders targeting immigration, health, and defense, and are preparing for potential funding changes and retaliation from the federal government. City departments are receiving 'know your rights' training and are instructed to contact the Mayor's Office if ICE appears at any city buildings.
Read more »