A subgroup of Russia’s Sandworm APT has been working to achieve initial and persistent access to the IT networks of organizations working in economic sectors Russia is interested in.
“In 2022, its primary focus was Ukraine, specifically targeting the energy, retail, education, consulting, and agriculture sectors. In 2023, it globalized the scope of its compromises, leading to persistent access within numerous sectors in the United States, Europe, Central Asia, and the Middle East,” Microsoft’s researchers have shared on Wednesday.
“In 2024, while the exposure of multiple vulnerabilities likely offered the subgroup more access than ever, it appeared to have honed its focus to the United States, Canada, Australia, and the United Kingdom.”
The subgroup’s targets span the world (Source: Microsoft)
About Sandworm
Sandworm (per Microsoft: “Seashell Blizzard”) is a threat group that has been associated by researchers to the Russian Military Intelligence Unit 74455 (GRU).
The group has been involved in destructive attacks such as KillDisk and NotPetya.
In 2020, the US unsealed an indictment against six GRU officers believed to be Sandworm members.
The tactics, techniques, and procedures (TTPs) of the Sandworm initial access subgroup
The subgroup uses public scan databases and focuses on exploiting targets’ vulnerable Internet-facing infrastructure. They have been known to leverage the following vulnerabilities:
For persistence, they initially deployed web shells. In early 2024, they also began installing and leveraging legitimate remote monitoring and management (RMM) tools like Atera Agent and Splashtop Remote Services.
The RMM tools allowed them to deploy secondary tools for stealing and exfiltrating credentials.
The subgroup’s operational lifecycle (Source: Microsoft)
“Among a subgroup of victims, Seashell Blizzard carried out unique post-compromise activity, indicating that the threat actor sought more durable persistence and direct access. In these cases, Seashell Blizzard deployed OpenSSH with a unique public key, allowing them to access compromised systems using an actor-controlled account and credential,” Microsoft says.
For added persistence, they also registered compromised systems as a Tor hidden service (a technique Microsoft dubbed ShadowLink).
“Systems compromised with ShadowLink receive a unique .onion address, making them remotely accessible via the Tor network. This capability allows Seashell Blizzard to bypass common exploit patterns of deploying a RAT, which commonly leverages some form of C2 to actor-controlled infrastructure that are often easily audited and identified by network administrators,” the researchers explained.
“Instead, by relying on Tor hidden services, the compromised system creates a persistent circuit to the Tor network, acting as a covert tunnel, effectively cloaking all inbound connections to the affected asset and limiting exposures from both the actor and victim environment.”
The group also modified network resources such as Outlook Web Access (OWA) sign-in pages (to collect credentials for lateral movement) and DNS configurations (possibly to intercept credentials from critical authentication services).
Setting the stage for future attacks
The subgroup has likely used a “spray and pray” approach to achieving compromises and has also compromized organizations that have limited or no utility to Russia’s strategic interests, according to Microsoft researchers. “In cases where a strategically significant target is compromised, we have observed significant later post-compromise activity.”
Among the actual targets were organizations in the energy, oil and gas, telecommunications, shipping, and arms manufacturing sectors, as well as international governments.
“This subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations. At the same time, Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term,” the researchers pointed out.
Microsoft has released indicators of compromise, mitigation and protection guidance, detections and alerts pointing to possible Seashell Blizzard activity, as well as threat hunting queries.