Russian Seashell Blizzard Hackers Have Access to Critical Infrastructure: Microsoft – Source: www.securityweek.com

The Russia-linked threat actor known as Seashell Blizzard has tasked one of its subgroups with obtaining initial access to internet-facing infrastructure and establishing long-term persistence in targeted organizations, Microsoft reports.

Also referred to as APT44, BlackEnergy Lite, Sandworm, Telebots, and Voodoo Bear, Seashell Blizzard has been active since at least 2009, and is believed to be associated with Russia’s General Staff Main Intelligence Directorate (GRU) military unit 74455.

The threat actor is known for engaging in espionage, information operations, and cyber disruptions, such as the destructive KillDisk (2015) MeDoc (2017), NotPetya (2017), FoxBlade (2022), and Prestige (2022) attacks.

Seashell Blizzard targeting of critical infrastructure – including ICS and SCADA systems in the energy, water, government, manufacturing, military, telecommunications, and transportation sectors – has been leveraged in military operations, especially in Ukraine.

“Since at least April 2023, Seashell Blizzard has increased targeting of military communities in the region, likely for tactical intelligence gain. Their persistent targeting of Ukraine suggests Seashell Blizzard is tasked to obtain and retain access to high-priority targets to provide the Russian military and Russian government a range of options for future actions,” Microsoft notes in a Wednesday report.

For the past four years, a subgroup within Seashell Blizzard has been engaged in a broad initial access operation referred to as the ‘BadPilot campaign’, with the purpose of establishing persistence within high-value targets, in support of tailored network operations.

“Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises,” Microsoft explains.

The subgroup’s activities, the tech giant says, allowed Seashell Blizzard to scale operations horizontally by gaining access to global targets across multiple sectors, including international governments.

Last year, the subgroup expanded its target list to include organizations in the US and the UK, mainly through the exploitation of vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788).

The subgroup has been observed using distinctive exploits, tooling, and infrastructure, and relying on specific late-stage methods for persistence, and is likely relying on an opportunistic ‘spray and pray’ approach to compromise organizations at scale.

It relies on direct scanning and third-party web services to discover internet-facing small office/home office (SOHO) and enterprise networks impacted by ScreenConnect, FortiClient EMS, Exchange (CVE-2021-34473), Zimbra (CVE-2022-41352), OpenFire (CVE-2023-32315), TeamCity (CVE-2023-42793), Outlook (CVE-2023-23397), and JBOSS (unknown CVE) flaws.

“In nearly all cases of successful exploitation, Seashell Blizzard carried out measures to establish long-term persistence on affected systems. This persistent access is noted in at least three cases to have preceded select destructive attacks attributed to Seashell Blizzard, highlighting that the subgroup may periodically enable destructive or disruptive attacks,” Microsoft says.

The initial access subgroup has been observed using web shells to maintain persistence, but in early 2024 it started deploying remote management and monitoring (RMM) solutions for persistence and for deploying secondary tools that enabled further compromise.

Microsoft also observed the subgroup making malicious modifications to network resources such as OWA sign-in pages and DNS configurations, to passively gather network credentials, and injecting malicious JavaScript code into legitimate sign-in portals to collect usernames and passwords.

“Given that Seashell Blizzard is Russia’s cyber tip of the spear in Ukraine, Microsoft Threat Intelligence assesses that this access subgroup will continue to innovate new horizontally scalable techniques to compromise networks both in Ukraine and globally in support of Russia’s war objectives and evolving national priorities,” the tech giant notes.

Related: Russian Hackers Exploited 7-Zip Zero-Day Against Ukraine

Related: European Union Sanctions Russian Nationals for Hacking Estonia

Related: Russian Cybercrime Network Targeted for Sanctions Across US, UK and Australia

Related: Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets