Russia’s ‘BadPilot’ cyber campaign, linked to state-sponsored hackers, is targeting critical infrastructure worldwide, using sophisticated tactics to evade detection and disrupt operations.
A subgroup of the Russian state-sponsored hacking group APT44, known as ‘Seashell Blizzard’ or ‘Sandworm,’ has been carrying out a long-term hacking campaign called ‘BadPilot.’ The campaign has been active since at least 2021 and primarily targets organizations across industries such as energy, telecommunications, and arms manufacturing.
Microsoft’s Threat Intelligence team identified the subgroup’s role in securing initial access to targeted systems and maintaining persistence before handing off compromised networks to other APT44 subgroups for further exploitation.
Since Russia's 2022 invasion of Ukraine, the hackers have increased their attacks on infrastructure supporting the Ukrainian government, military, transportation, and logistics sectors. Their tactics include spying, disrupting operations, and wiping data. According to Microsoft, they have carried out at least three destructive cyberattacks in Ukraine since 2023.
In 2023, their attacks expanded beyond Ukraine, targeting major organizations in Europe, the U.S., and the Middle East. Expansion continued in 2024, reaching the U.K., Canada, and Australia.
The hackers break into systems through vulnerabilities in internet-connected infrastructure, credential theft, and supply chain attacks. Compromising IT service providers allows them to access multiple downstream clients, making their attacks more widespread.
Microsoft identified several exploited vulnerabilities, including:
Once inside, the group maintains access by installing a hidden backdoor, called a web shell, which is a secret program that allows remote control of the system. A custom version called ‘LocalOlive’ enables them to execute commands, upload files, and move around undetected. To avoid suspicion, they use legitimate IT tools like Atera Agent and Splashtop Remote Services, which are commonly used for remote tech support. Their use of everyday tools helps them blend in with normal network activity, making detection more difficult.
The BadPilot campaign isn’t just about stealing information or disrupting operations; it’s a long-term strategy to weaken infrastructure, erode trust, and exploit vulnerabilities before they’re even discovered. Russian-backed hackers are not looking for quick wins. They are embedding themselves in networks, learning systems inside out, and waiting for the right moment to act. This isn’t just an IT problem. It’s a test of resilience for governments, businesses, and industries that rely on digital stability to function. Staying secure means treating every system as a potential target and assuming the threats could come from inside.
Unlike typical cyberattacks, ‘BadPilot’ is a long-term, state-backed campaign designed for espionage, disruption, and potential large-scale infrastructure sabotage.
Microsoft’s Threat Intelligence team monitors APT44’s activities, identifies exploited vulnerabilities, and provides security guidance to affected organizations.
Major conflicts, such as Russia’s invasion of Ukraine, often trigger increased cyber operations targeting infrastructure, government entities, and allied nations.
Unlike ransomware groups, APT44’s attacks prioritize espionage, sabotage, and geopolitical influence rather than direct financial gain.
Nations are ramping up cybersecurity initiatives, enforcing stricter regulations, sanctioning state-backed hackers, and collaborating on intelligence-sharing to mitigate risks.