The Russia-linked threat actor known as Seashell Blizzard has assigned one of its subgroups to gain initial access to internet-facing infrastructure and establish long-term persistence within targeted entity, a Microsoft report has revealed.
Also dubbed APT44, BlackEnergy Lite, Sandworm, Telebots, and Voodoo Bear, Seashell Blizzard has been active since at least 2009 and is believed to be linked to Russia’s General Staff Main Intelligence Directorate (GRU) military unit 74455.
Targeting Critical Sectors
Observed activities following initial access suggest that this campaign allowed Seashell Blizzard to infiltrate global targets across critical sectors, including energy, oil and gas, telecommunications, shipping, arms manufacturing, as well as international governments.
“We assess that this subgroup has been enabled by a horizontally scalable capability bolstered by published exploits that allowed Seashell Blizzard to discover and compromise numerous Internet-facing systems across a wide range of geographical regions and sectors,” the statement continued.
The group is known for conducting espionage, information operations, and cyber disruptions, including the destructive KillDisk (2015), MeDoc (2017), NotPetya (2017), FoxBlade (2022), and Prestige (2022) attacks.
Seashell Blizzard has targeted critical infrastructure—in support of military operations, particularly in Ukraine.
“Since at least April 2023, Seashell Blizzard has increased targeting of military communities in the region, likely for tactical intelligence gain. Their persistent targeting of Ukraine suggests Seashell Blizzard is tasked to obtain and retain access to high-priority targets to provide the Russian military and Russian government a range of options for future actions,” Microsoft said in a statement.
Persistence Within High-value Targets
For the past four years, a subgroup within Seashell Blizzard has been conducting a broad initial access operation known as the ‘BadPilot campaign,’ aimed at maintaining persistence within high-value targets to support tailored network operations.
“Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises,” Microsoft adds.
The report says the subgroup’s activities have allowed Seashell Blizzard to expand its operations horizontally, gaining access to global targets across multiple sectors, including international governments
The subgroup has been observed using unique exploits, tooling, and infrastructure, as well as relying on specific late-stage persistence methods. It is likely employing an opportunistic “mud against the wall” approach to compromise entities at scale. Researchers have also noted an increased reliance on social engineering tactics like phishing or credential harvesting.
Relying on Third-party Web Services
Seashell Blizzard’s targeting strategies have evolved significantly, reflecting a shift in priorities and attack methods. Instead of launching direct cyberattacks against governments and large enterprises, the group increasingly exploits trusted third-party service providers to infiltrate high-value networks through supply chain attacks.
Targeted systems have included those affected by flaws in ScreenConnect, FortiClient EMS, Exchange (CVE-2021-34473), Zimbra (CVE-2022-41352), OpenFire (CVE-2023-32315), TeamCity (CVE-2023-42793), Outlook (CVE-2023-23397), and JBOSS (unknown CVE).
A notable example of this shift was the 2023 attack on a war crimes law firm, suggesting an effort to gather intelligence on legal proceedings against Russian actors. Additionally, the group has expanded its focus beyond traditional government and military targets to include NGOs, think tanks, and legal institutions, broadening its intelligence-gathering efforts.
Another important shift is the increased reliance on social engineering tactics, particularly phishing and credential harvesting, which make initial access harder to detect and mitigate.
Establishing Long-term persistence
“In nearly all cases of successful exploitation, Seashell Blizzard carried out measures to establish long-term persistence on affected systems. This persistent access is noted in at least three cases to have preceded select destructive attacks attributed to Seashell Blizzard, highlighting that the subgroup may periodically enable destructive or disruptive attacks,” Microsoft explains.
The initial access subgroup has used web shells to maintain persistence but began deploying remote management and monitoring (RMM) solutions in early 2024 to ensure persistence and facilitate the deployment of secondary tools for further compromise.
Microsoft has also observed the subgroup making malicious modifications to network resources, such as OWA sign-in pages and DNS configurations, to passively gather network credentials. Additionally, it has injected malicious JavaScript code into legitimate sign-in portals to collect usernames and passwords.
“Given that Seashell Blizzard is Russia’s cyber tip of the spear in Ukraine, Microsoft Threat Intelligence assesses that this access subgroup will continue to innovate new horizontally scalable techniques to compromise networks both in Ukraine and globally in support of Russia’s war objectives and evolving national priorities,” Microsoft notes.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.