Russian Sandworm Subgroup Expands Global Cyberattack Campaign

Microsoft warns of 'BadPilot,' a Russian hacking operation targeting critical sectors in Western nations and beyond since 2021.

The 'BadPilot' campaign, part of Russia's Sandworm group, has been active since 2021, initially targeting Ukraine before expanding globally in 2023 and focusing on Western nations in 2024.
BadPilot specializes in initial system breaches, enabling other Sandworm units to conduct espionage, data theft, and destructive cyberattacks.
Critical sectors targeted include energy, telecommunications, shipping, arms manufacturing, and government infrastructure in the US, UK, Canada, and Australia.
The group exploits known vulnerabilities in widely used software, such as Microsoft Exchange, Zimbra, and Fortinet, to gain access and establish persistent network control.
Microsoft has observed the use of advanced techniques like Tor-based traffic routing and legitimate IT tools to evade detection and maintain long-term access.