In a recent development, Microsoft has identified a new hacking group known as Cadet Blizzard, which has been linked to Russia’s military intelligence agency. The group has been involved in cyberattacks targeting organisations across Europe, Latin America, and Central Asia. This blog post provides an overview of Cadet Blizzard’s activities and their significance in the Russian cyber threat landscape.
Cadet Blizzard has emerged as a novel actor affiliated with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). First observed in 2020, Cadet Blizzard prioritises targeting government services, law enforcement, non-profit/non-governmental organisations, IT service providers/consulting, and emergency services in Ukraine
Unlike established GRU-affiliated groups such as APT28 (Fancy Bear, Sofacy, Strontium, Sednit, SIG40, Group 74, PawnStorm, Snakemackerel, TG-4127, Tsar Team, Blue Athena, IRON TWILIGHT, Swallowtail, Threat Group-4127, Forest Blizzard) and Sandworm (Electrum, Telebots, BlackEnergy, Quedagh, Voodoo Bear, CTG-7263, Hades, OlympicDestroyer, IRIDIUM, TEMP.Noble, IRON VIKING, Seashell Blizzard), Cadet Blizzard operates independently, focusing on destructive cyber operations to support military objectives in Ukraine. Their actions aim to deliver impact, even at the expense of network operations and the exposure of sensitive information through targeted hack-and-leak operations.
Cadet Blizzard’s operations are centred around Ukraine but have expanded to target European and Latin American entities, seeking tactical and strategic-level insights into Western operations and policies related to the conflict. Cadet Blizzard operates throughout the week, specifically targeting off-business hours of their primary targets to reduce the likelihood of detection.
Microsoft has linked Cadet Blizzard to the WhisperGate data-wiping attacks on Ukrainian government organisations preceding the Russian invasion in February 2022. These cyber offensives coincided with the deployment of Russian tanks and troops along the Ukrainian borders.
WhisperGate disguised itself as ransomware but instead wiped infected devices, resembling the notorious NotPetya wiper that targeted Ukrainian businesses in 2017. The group was also involved in defacing Ukrainian websites and conducting hack-and-leak operations promoted through the ‘Free Civilian’ Telegram channel.
Since February 2023, the GRU hacking group behind Cadet Blizzard has intensified attacks on Ukrainian government organisations and IT providers. Microsoft has connected these incidents to breaches reported by Ukraine’s Computer Emergency Response Team (CERT-UA), uncovering evidence of persistent threats posed by Russian state hackers.
Cadet Blizzard employs a range of tools, tactics, and procedures to achieve their objectives. They utilise living-off-the-land techniques after gaining initial access to networks, enabling them to move laterally, collect credentials, evade detection, and establish persistence. Their activities often involve public signals to their targets, emphasising destruction, disruption, and intimidation. Cadet Blizzard leverages various exploitation methods, deploys commodity web shells for persistence, conducts privilege escalation and credential harvesting, and employs command and control (C2) mechanisms for remote control. They also employ anti-forensic measures and disable Microsoft Defender Antivirus to evade detection.
Microsoft notes that Cadet Blizzard’s attacks have a relatively lower success rate compared to other GRU-affiliated groups such as APT28 and Sandworm. While Cadet Blizzard experienced a decline in activity after June 2022, the group resurfaced in early 2023 and has achieved occasional success in their recent cyber operations. However, they have not matched the impact of their GRU counterparts’ attacks.
Cadet Blizzard’s activities, although not as successful or mature as other GRU-affiliated threat actors, demand attention due to their focus on delivering impact and their potential to gain strategic-level insights into Western operations and policies related to the conflict.
To protect against Cadet Blizzard’s operations, organisations should implement robust security measures. These may include:
Cadet Blizzard’s emergence as a distinct Russian threat actor within the ongoing conflict between Russia and Ukraine marks a significant development in the cyber threat landscape. Their destructive operations, targeting of government organisations and IT service providers, and hack-and-leak activities pose a serious risk to regional and global security.
Implementing robust security measures such as regular patching, web server hardening, network monitoring, privilege management, and advanced endpoint protection is crucial in defending against Cadet Blizzard’s operations. Developing comprehensive incident response plans and collaborating with trusted partners for information sharing and threat intelligence are also vital steps in safeguarding against this evolving threat landscape.
“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.
Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”
Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.
This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.
Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.