Hacker groups within Russia’s infamous sandworm units are violating the western network

The Kremlin’s most aggressive cyber war forces for the past decade, SandwormRussian President Vladimir Putin has further focused on the hacking campaign in Ukraine since the full-scale invasion of his Russian neighbors. Currently, Microsoft has warned that teams within its infamous hacking group have shifted targets and indiscriminately violated networks around the world, and last year it has been special to networks in English-speaking Western countries. It appears to be showing interest.

On Wednesday, Microsoft’s Threat Intelligence team announced a new study from a group within Sandworm that the company’s analysts are calling Badpilot. Microsoft describes the team as “initial access operations,” focusing on breaching victim networks and gaining footing before handing over access to other hackers within Sandwolm’s large organization. . After Badpilot’s initial violation, other sandworm hackers used intrusions to move around victim networks, carrying out effects such as stealing information and launching cyber attacks, Microsoft said I say it.

Microsoft explains that BadPilot will launch a massive intrusion attempt, cast a wide range of nets, organize the results and focus on specific victims. The company says the geography of the group’s target has evolved over the past three years. In 2022, they aimed almost entirely on Ukraine, expanding the hacking to networks around the world in 2023, then moved back to 2024. On the victims of the US, UK, Canada and Australia.

“They blow away their initial access attempts, see what’s coming back and see them focus on the targets they like,” says Sherrod Degrippo, director of strategy at Microsoft. says. “They choose what makes sense to focus, and they’re focusing on those Western countries.”

Microsoft did not name any particular victims of bad pilot intrusions, but hacker group targets include “energy, oil, gas, communications, shipping, weapons manufacturing,” and “international government.” He widely states that there is. Microsoft said at least three times that its operation led to cyberattacks that destroy the data that the Sandworm performs against Ukrainian targets.

Regarding the recent focus on the Western network, Microsoft’s DeGrippo suggests that the group’s interests are more likely to be more relevant to politics. “Global elections are probably the reason,” Degrippo says. “I think that changing political landscape is a motivator that changes tactics and changes goals.”

Over three years after Microsoft tracked bad pilots, the group attempted to gain access to victim networks using known vulnerabilities in software for the Internet. , and Zimbra. Particularly in targeting western networks last year, Microsoft has leveraged vulnerabilities in the remote access tools ConnectWise ScreenConnect and Fortinet Forticlient EMS, another application in which BadPilot centrally manages Fortinet security software on PCS. I’m warning you that it’s.

After exploiting these vulnerabilities, Microsoft installs software that BadPilot normally uses legitimate remote access tools such as the Atera agent and Splashtop remote service to provide permanent access to the victim machine I discovered that. In some cases, you can set up the victim’s computer to run as a so-called onion service on the TOR Anonymous network, essentially communicating through the collection of Tor’s proxy machines, with a more unique twist.です。 English: Turn it into a server that communicates with.