Microsoft Warns of Sandworm APT Exploiting Edge Bugs Worldwide

Listen to this Post

2025-02-12

Sandworm, a notorious Russian cyber threat group linked to Military Unit 74455 of the Russian GRU (military intelligence), has long been recognized for its devastating attacks, including the NotPetya ransomware, cyber operations during the 2018 Winter Olympics, and major attacks on Ukraine’s power grid. Recently, Microsoft has shed light on a new facet of this group, with their newly identified subgroup “BadPilot.” This new team is focusing on exploiting vulnerabilities in popular platforms, such as Microsoft Outlook and Zimbra, to gain access to high-value organizations globally. Since late 2021, BadPilot’s operations have spread across various critical industries worldwide, from telecommunications to oil and gas. Their ultimate goal is to set the stage for more significant, politically motivated cyber operations.

BadPilot exploits widely known vulnerabilities such as CVE-2022-41352, CVE-2021-34473, and CVE-2023-23397. These high-risk flaws in popular systems have been exploited to compromise organizations in sectors including government, telecommunications, arms manufacturing, and energy. Recently, the group has targeted systems in the U.S. and the U.K., using vulnerabilities in remote monitoring software. After gaining access, BadPilot establishes persistent control through a custom Web shell and continues its attacks through credential theft, lateral movement, and data exfiltration. While it focuses on stealth and agility, its actions often lay the groundwork for larger, more destructive campaigns, particularly in Ukraine.

What Undercode Says:

The rise of “BadPilot” within the Sandworm group represents a shift in cyber-attack strategies, from large-scale disruptive operations to more covert, persistent access tactics. The group has a history of launching high-profile cyberattacks, but this new method suggests a calculated approach, aiming for long-term strategic influence over multiple industries. Microsoft’s analysis of BadPilot highlights a shift towards exploiting common software vulnerabilities, a clear sign that Sandworm is adapting to the evolving cyber threat landscape.

One of the key takeaways from the analysis is the emphasis on how Sandworm uses a “low-profile” approach. Rather than drawing immediate attention with massive disruptions like the NotPetya attack, the subgroup quietly compromises organizations to position itself for future operations. This approach not only makes it harder for victims to detect but also allows the group to gather intelligence on a wide range of industries. By leveraging vulnerabilities in software like Microsoft Exchange and Fortinet’s EMS, Sandworm can infiltrate critical infrastructure worldwide, including in sensitive sectors like energy, telecommunications, and military entities.

The decision to focus on Internet-facing infrastructure and email platforms is a calculated one. These systems are often high-value targets, providing access to confidential communications and sensitive data. Sandworm’s focus on exploiting known vulnerabilities in these systems also shows a shift towards using tools that are already part of an organization’s infrastructure, which reduces the risk of detection and increases the chances of long-term access.

BadPilot’s activity has a clear link to Russia’s broader geopolitical objectives. It has been suggested that the timing of this subgroup’s formation coincided with Russia’s increasing cyber operations in the wake of its invasion of Ukraine. Microsoft’s observations about BadPilot’s role in providing initial access to key targets in Ukraine suggest that the subgroup is not acting on its own but is integrated into Russia’s larger cyber warfare strategy. This coordination between cyber and military operations illustrates the growing interdependence between digital and physical warfare, where cyberattacks act as force multipliers in the real-world conflict.

Another noteworthy aspect is BadPilot’s persistence. It has been operational for more than two years and shows no signs of slowing down. This persistence is a major concern for targeted organizations, as it demonstrates a methodical, long-term approach to cyber espionage and sabotage. For entities in critical sectors such as energy, telecommunications, and government, this means they are not just vulnerable to one-off attacks but to continuous, evolving threats that could go unnoticed for long periods.

The inclusion of advanced persistent threat (APT) techniques like credential harvesting, lateral movement, and the deployment of Tor-based hidden services also highlights the sophistication of BadPilot. While the group may not be using the most cutting-edge zero-day exploits, the persistent nature of its campaigns means that even common vulnerabilities can have devastating consequences if exploited effectively. Organizations that fail to patch their systems regularly or neglect to monitor their assets are prime targets for such attacks.

The ongoing targeting of Ukraine’s infrastructure underscores the geopolitical motivations behind these cyber operations. Sandworm’s cyberattacks, including the three significant operations against Ukraine’s power grid since 2023, are designed to create chaos and disrupt critical services. With the energy, transportation, and telecommunications sectors being frequent targets, these attacks have a broader aim than simple disruption: they seek to undermine national security and degrade the enemy’s ability to function in times of war.

For organizations worldwide, the growing sophistication and persistence of threat groups like Sandworm offer several lessons. First, maintaining up-to-date security measures and patching vulnerabilities is more important than ever. With groups like BadPilot actively searching for known weaknesses, delayed patching and inadequate defenses can give these actors an open door to wreak havoc. Second, organizations must prioritize continuous monitoring of their networks, particularly for any signs of unauthorized access or anomalous behavior that could indicate a stealthy infiltration campaign.

Finally, collaboration between public and private sectors will be crucial in combating these types of advanced cyber threats. Sandworm’s operations highlight the necessity of global cooperation to monitor, share intelligence on, and respond to state-sponsored cyber threats. As the lines between cyber espionage and traditional warfare continue to blur, building stronger, more resilient defenses against persistent APTs like Sandworm should be a top priority for businesses and governments alike.

In conclusion, the rise of BadPilot within Sandworm marks an evolution in Russia’s cyber capabilities, demonstrating their shift from headline-grabbing attacks to a more patient and strategic approach. For businesses in critical sectors, staying vigilant against these ongoing threats is not just necessary—it is vital for ensuring the integrity and security of their operations.

References:

Reported By: https://www.darkreading.com/threat-intelligence/microsoft-russian-sandworm-apt-exploits-edge-bugs-globally
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image