INCOMING INTEL - 2/14/2025: Device Code Phishing: Is Your Organization Prepared?

Microsoft Threat Intelligence Center recently uncovered a sophisticated device code phishing campaign conducted by Storm-2372, a subgroup of the Russian state-sponsored actor Seashell Blizzard (also known as Sandworm or APT44). Publicly disclosed on February 13, 2025, this campaign, dubbed "BadPilot," is part of a multi-year effort to gain initial access to high-value targets worldwide.

The threat actors employ third-party messaging services like WhatsApp, Signal, and Microsoft Teams to reach potential victims, posing as prominent individuals to build rapport before sending invitations to online events or meetings. This device code phishing technique extends the window of opportunity beyond the traditional 15-minute timeout, potentially increasing the campaign's success rate.

The BadPilot campaign has a global scope, aiming to compromise internet-facing infrastructure worldwide, with a focus on critical sectors such as energy, telecommunications, shipping, and government organizations. Its primary goal is to maintain access to high-value targets and support tailored network operations. The campaign's impact has evolved over time, initially focusing on Ukraine and sectors supporting the war effort in 2022, then expanding to the US, Europe, Central Asia, and the Middle East in 2023, and further broadening to include the US, UK, Canada, and Australia in 2024-2025.

Analysis: The "BadPilot" campaign represents a significant evolution in state-sponsored cyber operations. This multi-year operation employs sophisticated social engineering tactics and a novel device code phishing technique to target high-value global infrastructure. The campaign's scope has progressively expanded from Ukraine in 2022 to include the US, UK, Canada, Australia, and parts of Europe, Central Asia, and the Middle East by 2025, focusing on critical sectors.

The campaign's strategic implications are far-reaching, indicating a persistent threat aimed at maintaining long-term access to valuable targets for potential future disruptive actions. It demonstrates the ongoing adaptation of state-sponsored actors to bypass traditional security measures and highlights the increasing vulnerability of critical infrastructure to cyberattacks. As a result, organizations and governments must enhance their authentication measures, improve employee training on sophisticated social engineering tactics, implement stricter controls on communication channels, and foster greater threat intelligence sharing. The BadPilot campaign signifies a concerning trend in the capabilities and ambitions of state-sponsored threat actors, necessitating continued vigilance and adaptive cybersecurity strategies to counter these evolving threats effectively.