Cookies Policy
We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

Cadet Blizzard: A Novel Russian Threat Actor Shaping the Cyber Landscape

June 17, 2023
A new hacking group — known as Cadet Blizzard — has been linked to Russia’s military intelligence agency. Here is an overview of their activities.

by Kade Morton (CEO)

Introduction

In a recent development, Microsoft has identified a new hacking group known as Cadet Blizzard, which has been linked to Russia’s military intelligence agency. The group has been involved in cyberattacks targeting organisations across Europe, Latin America, and Central Asia. This blog post provides an overview of Cadet Blizzard’s activities and their significance in the Russian cyber threat landscape.

A New Player in the Russian Cyber Threat Landscape

Cadet Blizzard has emerged as a novel actor affiliated with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). First observed in 2020, Cadet Blizzard prioritises targeting government services, law enforcement, non-profit/non-governmental organisations, IT service providers/consulting, and emergency services in Ukraine

Unlike established GRU-affiliated groups such as APT28 (Fancy Bear, Sofacy, Strontium, Sednit, SIG40, Group 74, PawnStorm, Snakemackerel, TG-4127, Tsar Team, Blue Athena, IRON TWILIGHT, Swallowtail, Threat Group-4127, Forest Blizzard) and Sandworm (Electrum, Telebots, BlackEnergy, Quedagh, Voodoo Bear, CTG-7263, Hades, OlympicDestroyer, IRIDIUM, TEMP.Noble, IRON VIKING, Seashell Blizzard), Cadet Blizzard operates independently, focusing on destructive cyber operations to support military objectives in Ukraine. Their actions aim to deliver impact, even at the expense of network operations and the exposure of sensitive information through targeted hack-and-leak operations.

Cadet Blizzard’s operations are centred around Ukraine but have expanded to target European and Latin American entities, seeking tactical and strategic-level insights into Western operations and policies related to the conflict. Cadet Blizzard operates throughout the week, specifically targeting off-business hours of their primary targets to reduce the likelihood of detection.

Cadet Blizzard’s Connection to WhisperGate Attacks

Microsoft has linked Cadet Blizzard to the WhisperGate data-wiping attacks on Ukrainian government organisations preceding the Russian invasion in February 2022. These cyber offensives coincided with the deployment of Russian tanks and troops along the Ukrainian borders.

WhisperGate disguised itself as ransomware but instead wiped infected devices, resembling the notorious NotPetya wiper that targeted Ukrainian businesses in 2017. The group was also involved in defacing Ukrainian websites and conducting hack-and-leak operations promoted through the ‘Free Civilian’ Telegram channel.

Renewed Targeting of Ukrainian Government Organisations

Since February 2023, the GRU hacking group behind Cadet Blizzard has intensified attacks on Ukrainian government organisations and IT providers. Microsoft has connected these incidents to breaches reported by Ukraine’s Computer Emergency Response Team (CERT-UA), uncovering evidence of persistent threats posed by Russian state hackers.

Tactics, Techniques, and Procedures

Cadet Blizzard employs a range of tools, tactics, and procedures to achieve their objectives. They utilise living-off-the-land techniques after gaining initial access to networks, enabling them to move laterally, collect credentials, evade detection, and establish persistence. Their activities often involve public signals to their targets, emphasising destruction, disruption, and intimidation. Cadet Blizzard leverages various exploitation methods, deploys commodity web shells for persistence, conducts privilege escalation and credential harvesting, and employs command and control (C2) mechanisms for remote control. They also employ anti-forensic measures and disable Microsoft Defender Antivirus to evade detection.

Risk and Impact

Microsoft notes that Cadet Blizzard’s attacks have a relatively lower success rate compared to other GRU-affiliated groups such as APT28 and Sandworm. While Cadet Blizzard experienced a decline in activity after June 2022, the group resurfaced in early 2023 and has achieved occasional success in their recent cyber operations. However, they have not matched the impact of their GRU counterparts’ attacks.

Cadet Blizzard’s activities, although not as successful or mature as other GRU-affiliated threat actors, demand attention due to their focus on delivering impact and their potential to gain strategic-level insights into Western operations and policies related to the conflict.

Mitigating Cadet Blizzard’s Threat

To protect against Cadet Blizzard’s operations, organisations should implement robust security measures. These may include:

  • Regular patching and updates: Keep systems and software up to date to protect against known vulnerabilities.
  • Web server hardening: Secure web servers to prevent exploitation and unauthorised access.
  • Network monitoring and detection: Implement network monitoring tools to identify suspicious activities and detect potential intrusions.
  • Privilege management: Enforce the principle of least privilege and regularly review and update user privileges.
  • Endpoint protection: Deploy advanced endpoint security solutions to detect and mitigate malicious activities.
  • Incident response planning: Develop a comprehensive incident response plan to address potential breaches and minimise the impact.
  • Information sharing: Collaborate with trusted partners, such as Microsoft and relevant cybersecurity organisations, to share threat intelligence and stay updated on emerging threats.
Conclusion

Cadet Blizzard’s emergence as a distinct Russian threat actor within the ongoing conflict between Russia and Ukraine marks a significant development in the cyber threat landscape. Their destructive operations, targeting of government organisations and IT service providers, and hack-and-leak activities pose a serious risk to regional and global security.

Implementing robust security measures such as regular patching, web server hardening, network monitoring, privilege management, and advanced endpoint protection is crucial in defending against Cadet Blizzard’s operations. Developing comprehensive incident response plans and collaborating with trusted partners for information sharing and threat intelligence are also vital steps in safeguarding against this evolving threat landscape.

Benefits

Why 
select 
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials 
& 
Partnerships

“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Partnership

We 
are 
partnered 
with 
DISARM 
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.


Empower. 
Defend. 
Prevail.

Newsletter
Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.

© 2024 Arachne Digital, ALL RIGHTS RESERVED
Built by