Sandworm, known as Military Unit 74455 of Russia's GRU, is a notorious advanced persistent threat (APT) recognized for major cyberattacks, including NotPetya and assaults on Ukraine's power grid.

Since Russia's invasion of Ukraine, Sandworm has intensified its focus on critical infrastructure and military communities in Ukraine, aiming for intelligence gathering and operational disruption.

Recent activities by Sandworm have included campaigns against Denmark's energy sector and multiple attempts to disrupt Ukraine's power grid, with one successful attack following a failed attempt.

Microsoft tracks Sandworm under the codename 'Seashell Blizzard' and has identified a subgroup called 'BadPilot,' which specializes in gaining initial access to high-value organizations.

BadPilot's operations are designed to support larger attacks by Sandworm, aiding Russia's strategic objectives amidst ongoing conflicts, particularly the war in Ukraine.

The subgroup BadPilot targets a variety of sectors, including telecommunications, oil and gas, shipping, arms manufacturing, and foreign government entities across Europe, Central and South Asia, and the Middle East.

Since late 2021, BadPilot has exploited vulnerabilities in email and collaboration platforms, achieving critical ratings on the Common Vulnerability Scoring System (CVSS) for issues in Zimbra, Microsoft Exchange, and Microsoft Outlook.

In early 2024, BadPilot expanded its operations to the US and UK, leveraging vulnerabilities in remote monitoring software, including severe bugs in Fortinet and ConnectWise products.

Once inside a system, BadPilot establishes persistence using custom web shells and legitimate remote management tools, which facilitate credential collection, lateral movement, and data exfiltration.

Experts emphasize the need for critical sectors to enhance their security practices, regularly patch software, and monitor their Internet-facing assets to defend against persistent threats.