Over the past decade, Kremlin's most aggressive Cyberwar unit, called SandwormHas focused his hacking campaigns in abuse Ukraine, even more since Russian President Vladimir Putin invaded Russian neighbors. Now Microsoft is warning that a group in that notorious hack group has changed its goals, working indiscriminately to violate the network worldwide and, last year, seemed to have shown a relationship. Special mind for networks in Western countries speak English.
On Wednesday, Microsoft's threatening intelligence group published a new research on a group in Sandworm that the company's analysts are calling Badpilot. Microsoft describes the group as an initial VIKING access activity focusing on violations and getting a foothold in the network of victims before putting that access to other hackers in the bigger organization of the organization of the organization. Sandworm. After the initial violations of Badpilot, other sandworm hackers used their invasion to move in the victim's networks and perform effects such as stealing information or launching attacks. Network, Microsoft said.
Microsoft describes Badpilot as initiating a large amount of efforts to invade, creating a wide network and then arranging results to focus on specific victims. Over the past three years, the company said that the geography of the group's target has developed: by 2022, it sets a goal almost completely in Ukraine, then expanded hacks by 2023 online across it. The world, and then switched in 2024 to go home to the victims in the US, UK, Canada and Australia.
Sherrod Degrippo, director of Microsoft's threatening intelligence strategy, said we saw them spit out their efforts when accessing initially, watching what came back, and then focused on the goals. Thich, Mr. Sherrod Degrippo, Director of Microsoft's threatening intelligence strategy. They are choosing and choosing what makes sense to focus on. And they are focusing on Western countries.
Microsoft did not name any specific victims of Badpilot's intrusion, but widely said that the targets of the hacker group include energy, petroleum, telecommunications, transportation, production of weapons. , international government. In at least three times, Microsoft said its activities have led to cyber attacks that destroy data done by sand worms against Ukraine's goals.
For more recent focus on Western Networks, Microsoft's Degrippo suggests that the group's benefits may be more related to politics. The global election is probably a reason for that, Mr. Degrippo said. I think that changing the political context is a motivation to change tactics and change goals.
For more than three years that Microsoft has tracked Badpilot, the group has sought to access the victim's networks by using known but not suitable gaps in the software -oriented software, exploiting the holes possible. Hacked in Microsoft Exchange and Outlook, as well as applications from Openfire, Jetbrains and Zimbra. In targeting Western networks in the past year, Microsoft warned that Badpilot has specifically exploited a hole in the remote access tool ConnectWise Screconnect and Fortinet Forticlient EMS, another application to manage security software security software. of Fortinet on PCS.
After exploiting those holes, Microsoft found that Badpilot often installed software that allows continuous access to the victim's machine, often with legal remote access tools such as ATERA AGENT or Splashtop Remote Services. In some cases, in a more unique spiral, it also sets the victim's computer to run in the form of onion service on the Tor anonymous network, basically turning it into a transmission server through the set. Tor's proxy collection to hide contact.