A Hacker Group Within Russia's Notorious Sandworm Unit Is Breaching Western Networks
On Wednesday, Microsoft's threat intelligence team published new research into a group within Sandworm that the company's analysts are calling BadPilot. Microsoft describes the team as an 'initial access operation' focused on breaching and gaining a foothold in victim networks before handing off that access to other hackers within Sandworm's larger organization, which security researchers have for years identified as a unit of Russia's GRU military intelligence agency. After BadPilot's initial breaches, other Sandworm hackers have used its intrusions to move within victim networks and carry out effects such as stealing information or launching cyberattacks, Microsoft says.
Microsoft describes BadPilot as initiating a high volume of intrusion attempts, casting a wide net and then sorting through the results to focus on particular victims. Over the last three years, the company says, the geography of the group's targeting has evolved: In 2022, it set its sights almost entirely on Ukraine, then broadened its hacking in 2023 to networks worldwide, and then shifted again in 2024 to home in on victims in the US, the UK, Canada and Australia.
'We see them spraying out their attempts at initial access, seeing what comes back, and then focusing on the targets they like,' says Sherrod DeGrippo, Microsoft's director of threat intelligence strategy. 'They're picking and choosing what makes sense to focus on. And they are focusing on those Western countries.'
Microsoft didn't name any specific victims of BadPilot's intrusions, but broadly stated that the hacker group's targets have included 'energy, oil and gas, telecommunications, shipping, arms manufacturing,' and 'international governments.' On at least three occasions, Microsoft says, its operations have led to data-destroying cyberattacks carried out by Sandworm against Ukrainian targets.
As for the more recent focus on Western networks, Microsoft's DeGrippo hints that the group's interests have likely been more related to politics. 'Global elections are probably a reason for that,' DeGrippo says. 'That changing political landscape, I think, is a motivator to change tactics and to change targets.'
Over the more than three years that Microsoft has tracked BadPilot, the group has sought to gain access to victim networks using known but unpatched vulnerabilities in internet-facing software, exploiting hackable flaws in Microsoft Exchange and Outlook, as well as applications from OpenFire, JetBrains, and Zimbra. In its targeting of Western networks over the last year in particular, Microsoft warns that BadPilot has specifically exploited a vulnerability in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, another application for centrally managing Fortinet's security software on PCs.
After exploiting those vulnerabilities, Microsoft found that BadPilot typically installs software that gives it persistent access to a victim machine, often with legitimate remote access tools like Atera Agent or Splashtop Remote Services. In some cases, in a more unique twist, it also sets up a victim's computer to run as so-called onion service on the Tor anonymity network, essentially turning it into a server that communicates via Tor's collection of proxy machines to hide its communications.
Another, separate report Tuesday from the cybersecurity firm EclecticIQ pointed to an entirely distinct hacking campaign that firm also ties to Sandworm. Since late 2023, EclecticIQ found the hacker group has used a malware-infected Windows piracy tool, distributed via Bittorrent, to breach Ukrainian government networks. In those cases, EclecticIQ found, the hackers have installed a remote access tool called Dark Crystal RAT to carry out cyberespionage.
Any sign of Sandworm, which Microsoft refers to by the name Seashell Blizzard, raises alarms in part because the group has a history of hacking operations that go far beyond mere spying. Over the last decade, the group has caused at least three blackouts by targeting electric utilities in Ukraine—still the only such hacker-induced blackouts in history. The group also released the NotPetya malware that spread worldwide and did at least $10 billion in damage, and it used wiper malware to destroy countless networks in more targeted attacks across Ukraine both before and after the 2022 invasion.
Microsoft has so far found no evidence that, in BadPilot's targeting of Western networks specifically, Sandworm has shown any intention to carry out anything other than espionage. 'This seems very early in terms of initial resource gathering, trying to get this much persistent access,' says Microsoft's DeGrippo. 'Then we would have to wait to see what they do with it.'
But she notes that BadPilot is nonetheless tied to a larger group that has a history of highly disruptive cyberattacks. 'Therefore," says DeGrippo, "the potential actions that they could take next is of deep concern.'
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
38 minutes ago
- Yahoo
Market still ‘very dynamic': WSP CEO
This story was originally published on Construction Dive. To receive daily news and insights, subscribe to our free daily Construction Dive newsletter. WSP announced a $1 billion, seven-year partnership with Microsoft at the beginning of 2025 to accelerate the digitization of the architecture, engineering and construction industry via artificial intelligence. That alliance is now paying off, CEO Alexandre L'Heureux said on a second-quarter earnings call Aug. 7. 'In our bidding group … we believe that very soon we will be able to reduce some of our human output by close to 80%,' L'Heureux said. 'So that's not de minimis, because we have bidding groups across each and every segment and across each and every country. So that's an example of where we feel we can make a tremendous improvement and reduce human intervention.' It's not just AI creating those results, though: In the past decade, the Montreal-based construction giant's revenue per employee has seen constant growth while labor became cheaper, according to L'Heureux. 'Our revenue at the moment is growing much faster than our headcount,' L'Heureux said. 'That's why today, unlike perhaps five, six, seven years ago, I am not talking as much about headcount as we used to. To me, it's becoming more irrelevant.' Although the market is still 'very, very dynamic,' WSP has not seen much election-related disruption amid recent or upcoming votes in major markets including New Zealand, the U.K., Australia, Canada and the U.S., according to L'Heureux. Even with regime change in the U.S. and U.K., infrastructure spending remains a top priority for both of those countries, L'Heureux said. Although President Donald Trump's administration has brought some shifts in priorities — for instance, away from renewables and towards fossil fuels — he aims to facilitate and expedite investment. Projects and sectors Data centers and related projects remain hot, with 'robust activity across all of our geographies,' according to L'Heureux. 'Mandates encompass site acquisition, due diligence, master planning for new AI factories, greenfield data center design projects, brownfield data center upgrades and the growing power and water infrastructure demand,' L'Heureux said. WSP has also seen 'tremendous growth in power generation,' L'Heureux said, citing thermal and nuclear energy in particular. To that end, Power Engineers, the Hailey, Idaho-based engineering and environmental consulting firm it purchased in August 2024, had an organic growth rate of 16% this quarter. 'It was a must-do deal, and I'm extremely pleased that we completed this acquisition. It's very, very strategic for our platform,' L'Heureux said. 'I'm feeling very bullish on this acquisition and very bullish around this [power generation] sector.' Water continues to benefit from investment across most of WSP's geographies, L'Heureux said. The firm recently secured a role in an Ontario wastewater treatment plant expansion, as well as a major PFAS project for the U.S. Air Force in the Midwest that 'shows our strong position in the combined defense and water markets,' according to L'Heureux. Despite the Trump administration's reversal of environmental projects and protections, WSP's environmental backlog has continued to grow, even in the U.S., L'Heureux said. In particular, WSP's biodiversity and marine expertise are in high demand in Canada. The transportation infrastructure sector, including rail, continued to perform well, per L'Heureux. WSP won a role in the $3.9 billion Hampton Roads Bridge-Tunnel project in Virginia, as well as in the new terminal of Perth International Airport in Australia. By the numbers WSP reported revenues of $4.5 billion Canadian dollars ($3.3 billion) in its second quarter earnings, up 14.6% from CA$3.9 billion in Q2 2024. The firm's profits grew to CA$279 million in Q2 2025, up nearly 52% from the same period last year. Backlog stood at CA$16.3 billion, a 10.9% increase from Q2 2024. That was due mostly to continued strong performance in Canada, the Americas and Europe, Middle East, India and Africa, according to WSP CFO Alain Michaud, and to the fact that WSP reduced its presence in the Asia-Pacific region in the first half of the year after its performance slowed. 'Clients are recognizing the expertise that we bring to the table,' L'Heureux said. 'It allows us to be more selective in the projects that we undertake, but it also allows us to charge for the great work that our engineers are doing.' More M&A Although L'Heureux noted last quarter that election-related uncertainty was dampening the M&A market, he said his firm is continuing to pursue merger and acquisition opportunities. In June WSP acquired Lexica, a U.K.-headquartered consulting firm specializing in healthcare and life sciences, which adds 90 experts to the firm's Planning, Property and Advisory business in the region and forms a new Healthcare and Life Sciences Advisory team. WSP also announced an agreement in June to purchase the U.K.-based consultancy Ricardo, which delivers strategic advisory and engineering solutions that intersect the global transport, energy and environment agenda. Recommended Reading M&A activity cools amid instability: WSP
Yahoo
an hour ago
- Yahoo
Balfour Beatty invests nearly $10M in Microsoft AI
This story was originally published on Construction Dive. To receive daily news and insights, subscribe to our free daily Construction Dive newsletter. Dive Brief: Continuing on its push to add artificial intelligence throughout its business, London-based builder Balfour Beatty has invested 7.2 million pounds ($9.6 million) into tech giant Microsoft's AI offering, Microsoft 365 Copilot, according to a July 31 news release. Microsoft's AI-powered assistant embedded within Microsoft 365 applications will operate securely within Balfour Beatty's compliant and confidential IT environment, which is distinct from publicly available tools, according to the news release. Alongside the investment, the company plans to develop AI agents to improve its quality, health and safety and assurance processes, with the first trial at an infrastructure project in Scotland, according to the news release. Balfour Beatty announced the AI development push in March 2024, during its full-year earnings call. Dive Insight: Balfour Beatty is running a pilot of the tech at the 185 million pound A9 project in Scotland, a road improvement job where the firm is upgrading a single-lane highway to two lanes, constructing four new bridges and delivering new side roads together with various junction upgrades. The AI agent, which focuses on inspection and test plans, identifies common issues that include incorrect or outdated templates reaching technical experts. As a result, the agent enhances the consistency, efficiency and quality of ITPs, according to Balfour Beatty. By automating the manual review process, which traditionally takes several hours and is repeated thousands of times across the company, the tool accelerates delivery and allows engineers to focus on high-value tasks such as design assurance and technical problem-solving, which ultimately boosts productivity, per the news release. 'This investment isn't just about embracing technology,' said Jon Ozanne, Balfour Beatty's chief information officer, in the news release. 'It's about ensuring our business remains at the forefront of competitiveness and cyber security.' Recommended Reading The AI arms race is on for builders in 2025 Sign in to access your portfolio
Yahoo
an hour ago
- Yahoo
CRM Bets on ADAM Framework: Will it Fortify Leadership in Agentic AI?
Salesforce, Inc. (CRM) is using its ADAM framework, which includes Agents, Data, Apps and Metadata, as the base for its AI strategy. In the last earnings call for the first quarter of fiscal 2026, management emphasised that all four parts are needed for enterprises to deliver AI agents, or digital labor, effectively. Salesforce delivers AI Agents through its Agentforce platform, while data is unified in the Data Cloud platform. The company's integration platform, MuleSoft, connects all the systems. Apps include Salesforce products like Sales Cloud, Service Cloud, Tableau, and Slack and Metadata acts as the shared platform that links all these components. Moreover, Salesforce's pending $8 billion acquisition of Informatica will enable it to expand into Informatica's master data management and ETL capabilities and create a unified architecture for agentic AI. The integration will help Salesforce create an environment where AI agents can operate safely and responsibly. During the first quarter of fiscal 2026, management highlighted product examples built on the ADAM framework. Tableau Next is connected to Data Cloud and uses the Metadata platform to run its operations, while Slack acts as a conversational interface where users can access Salesforce apps and agents. MuleSoft connects the underlying systems, and Informatica is expected to strengthen data quality and readiness. Moreover, the ADAM approach is also being used in customer projects, demonstrating its effectiveness. Finnair is deploying agents for customer service automation, while PepsiCo is combining multiple Salesforce clouds with an agent layer, and Falabella scaled a WhatsApp-based agent pilot into a larger regional rollout. Management believes that without all four elements of the ADAM framework, enterprises cannot deliver the complete AI experience. While the company is betting on ADAM to help it stand out as businesses adopt agent-based automation, its ability to keep that lead will depend on how quickly customers adopt the framework. If execution goes well, the ADAM framework could become the next chapter in Salesforce's growth story. The Zacks Consensus Estimate for fiscal 2026 and 2027 revenues indicates year-over-year growth of 8.6% and 9.2%, respectively. How Competitors Fare Against Salesforce Microsoft Corporation (MSFT) and ServiceNow, Inc. (NOW) are also pushing AI automation in the enterprise market. Microsoft has integrated strong AI features into its Dynamics 365 platform through its Copilot tools, simplifying tasks such as writing emails, creating reports and summarizing meetings for users. Since many companies already use Microsoft products, integrating Copilot into their existing workflows is simple and cost-effective. ServiceNow's Now Assist platform uses AI to automate IT service management, customer support and human resource management tasks. ServiceNow has been rolling out industry-specific AI tools, similar to what Salesforce is doing with its ADAM framework. Salesforce's Price Performance, Valuation and Estimates Shares of Salesforce have plunged 30.7% year to date against the Zacks Computer – Software industry's growth of 19.8%. CRM YTD Price Return Performance Image Source: Zacks Investment Research From a valuation standpoint, CRM trades at a forward price-to-earnings ratio of 19.33, significantly below the industry's average of 35.32. CRM Forward 12-Month P/E Ratio Image Source: Zacks Investment Research The Zacks Consensus Estimate for Salesforce's fiscal 2026 and 2027 earnings implies a year-over-year increase of approximately 10.8% and 11.5%, respectively. Estimates for fiscal 2026 and 2027 have been revised upward in the past 60 days. Image Source: Zacks Investment Research Salesforce currently carries a Zacks Rank #4 (Sell). You can see the complete list of today's Zacks #1 Rank (Strong Buy) stocks here. Want the latest recommendations from Zacks Investment Research? Today, you can download 7 Best Stocks for the Next 30 Days. Click to get this free report Microsoft Corporation (MSFT) : Free Stock Analysis Report Salesforce Inc. (CRM) : Free Stock Analysis Report ServiceNow, Inc. (NOW) : Free Stock Analysis Report This article originally published on Zacks Investment Research ( Zacks Investment Research
