WordPress Plugin Flaw Allowed Hackers to Target 30,000 Websites

A subgroup of Russia’s state-backed hacker group Seashell Blizzard (Sandworm) has ramped up cyberattacks under a campaign called BadPilot.

This long-running operation now targets critical infrastructure worldwide, expanding beyond Ukraine and Eastern Europe to North America, Europe, and Asia-Pacific.

WordPress Plugin Flaw

Active since at least 2021, the BadPilot campaign exploits vulnerabilities in internet-facing infrastructure to gain access and establish persistence in high-value networks. It primarily targets sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government organizations.

Microsoft researchers have identified the exploitation of at least eight known vulnerabilities, including flaws in widely used IT management tools like ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788). These vulnerabilities allow attackers to infiltrate systems, steal credentials, execute commands, and move laterally within networks.

According to Wordfence, the campaign combines broad “spray-and-pray” attacks with targeted intrusions. Once inside a network, attackers modify DNS settings, inject malicious JavaScript into login portals to harvest credentials, and deploy remote management tools like Atera Agent to maintain stealthy persistence while blending into legitimate network traffic.

The BadPilot subgroup supports Russia’s military and intelligence efforts, initially targeting Ukraine in 2022 before expanding to critical infrastructure in the U.S., U.K., Canada, and Australia.

This shift reflects Russia’s intent to disrupt adversaries while preserving future cyber capabilities.

Since 2023, Microsoft has linked the group to at least three destructive cyberattacks in Ukraine, showcasing its ability to move from espionage to disruption. Its persistent access to networks enables both immediate attacks and long-term intelligence gathering.

By exploiting vulnerabilities and using advanced techniques, Seashell Blizzard continues to challenge global cybersecurity. Its focus on critical infrastructure highlights the urgent need for stronger defenses. As geopolitical tensions rise, these cyber operations will likely remain central to Russia’s strategy.