Summary: Microsoft reports that the Russia-linked threat actor Seashell Blizzard has intensified its operations through a subgroup focusing on initial access and long-term persistence in various organizations. This group, active since at least 2021, has employed a range of vulnerabilities to target critical infrastructure and military entities, particularly in Ukraine, while also expanding efforts to include targets in the US and UK. The actors utilize sophisticated techniques for exploitation and persistence, thereby supporting the Russian military objectives.
Affected: Critical infrastructure and various organizations globally
Keypoints :
- Seashell Blizzard has a history of cyber espionage and disruption, linked to military operations particularly in Ukraine.
- The ‘BadPilot campaign’ focuses on establishing persistence in high-value targets using opportunistic access techniques.
- Exploited vulnerabilities include those in ConnectWise ScreenConnect and Fortinet FortiClient EMS, enabling extensive network compromises.
- The subgroup has adopted measures for long-term access, including web shells and modifications to network resources, to gather credentials and facilitate further attacks.