Attacks leveraging several known security vulnerabilities have been deployed across more than 15 countries.

As part of a multi-year campaign named ‘BadPilot’, a subgroup of the Sandworm operation compromised organisations in the U.S., Canada, Australia, and the UK. This involved the exploitation of ConnectWise ScreenConnect and Fortinet FortiClient EMS flaws last year, a report from the Microsoft Threat Intelligence team revealed.

Initial compromise has been followed with either malicious JavaScript code injections for credential theft, LocalOlive web shell delivery for further payload retrieval, or remote access software distribution for additional compromise.

Named ‘Seashell Blizzard’, the group has been described as a high-impact threat actor, linked to the Russian Federation that conducts global activities on behalf of Russian Military Intelligence Unit 74455 (GRU).

Its operations have ranged from espionage to information operations and cyber-enabled disruptions, usually in the form of destructive attacks and manipulation of industrial control systems.

Over the past three years, the group’s activity has covered the following geographical verticals:

• 2022: Energy, retail, education, consulting, and agriculture sectors in Ukraine

• 2023: Sectors in the United States, Europe, Central Asia, and the Middle East that provided material support to the war in Ukraine or were geopolitically significant

• 2024: Entities in the United States, Canada, Australia, and the United Kingdom

Simon Phillips, CTO of SecureAck, said this discovery is alarming for UK organisations as it highlights how Russian state-sponsored actors are exploiting CVEs to infiltrate networks, conduct surveillance and launch attacks.

“The real concern is that these operations remained largely unnoticed until Microsoft published these findings,” he said.

“The exploitation tactics reaffirm a growing uptake in exploitation of internet-facing infrastructure for gaining access to enterprise networks, and organisations must use this as a catalyst to strengthen their patch management.

The threat landscape has evolved beyond script kiddies and financially driven attackers; state-sponsored actors are now a serious reality.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.