Cadet Blizzard: A Novel Russian Threat Actor Shaping the Cyber Landscape

Cadet Blizzard has emerged as a novel actor affiliated with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). First observed in 2020, Cadet Blizzard prioritises targeting government services, law enforcement, non-profit/non-governmental organisations, IT service providers/consulting, and emergency services in Ukraine

Unlike established GRU-affiliated groups such as APT28 (Fancy Bear, Sofacy, Strontium, Sednit, SIG40, Group 74, PawnStorm, Snakemackerel, TG-4127, Tsar Team, Blue Athena, IRON TWILIGHT, Swallowtail, Threat Group-4127, Forest Blizzard) and Sandworm (Electrum, Telebots, BlackEnergy, Quedagh, Voodoo Bear, CTG-7263, Hades, OlympicDestroyer, IRIDIUM, TEMP.Noble, IRON VIKING, Seashell Blizzard), Cadet Blizzard operates independently, focusing on destructive cyber operations to support military objectives in Ukraine. Their actions aim to deliver impact, even at the expense of network operations and the exposure of sensitive information through targeted hack-and-leak operations.

Cadet Blizzard’s operations are centred around Ukraine but have expanded to target European and Latin American entities, seeking tactical and strategic-level insights into Western operations and policies related to the conflict. Cadet Blizzard operates throughout the week, specifically targeting off-business hours of their primary targets to reduce the likelihood of detection.

Microsoft has linked Cadet Blizzard to the WhisperGate data-wiping attacks on Ukrainian government organisations preceding the Russian invasion in February 2022. These cyber offensives coincided with the deployment of Russian tanks and troops along the Ukrainian borders.

WhisperGate disguised itself as ransomware but instead wiped infected devices, resembling the notorious NotPetya wiper that targeted Ukrainian businesses in 2017. The group was also involved in defacing Ukrainian websites and conducting hack-and-leak operations promoted through the ‘Free Civilian’ Telegram channel.

Since February 2023, the GRU hacking group behind Cadet Blizzard has intensified attacks on Ukrainian government organisations and IT providers. Microsoft has connected these incidents to breaches reported by Ukraine’s Computer Emergency Response Team (CERT-UA), uncovering evidence of persistent threats posed by Russian state hackers.

Cadet Blizzard employs a range of tools, tactics, and procedures to achieve their objectives. They utilise living-off-the-land techniques after gaining initial access to networks, enabling them to move laterally, collect credentials, evade detection, and establish persistence. Their activities often involve public signals to their targets, emphasising destruction, disruption, and intimidation. Cadet Blizzard leverages various exploitation methods, deploys commodity web shells for persistence, conducts privilege escalation and credential harvesting, and employs command and control (C2) mechanisms for remote control. They also employ anti-forensic measures and disable Microsoft Defender Antivirus to evade detection.

Microsoft notes that Cadet Blizzard’s attacks have a relatively lower success rate compared to other GRU-affiliated groups such as APT28 and Sandworm. While Cadet Blizzard experienced a decline in activity after June 2022, the group resurfaced in early 2023 and has achieved occasional success in their recent cyber operations. However, they have not matched the impact of their GRU counterparts’ attacks.

Cadet Blizzard’s activities, although not as successful or mature as other GRU-affiliated threat actors, demand attention due to their focus on delivering impact and their potential to gain strategic-level insights into Western operations and policies related to the conflict.

To protect against Cadet Blizzard’s operations, organisations should implement robust security measures. These may include:

• Regular patching and updates: Keep systems and software up to date to protect against known vulnerabilities.
• Web server hardening: Secure web servers to prevent exploitation and unauthorised access.
• Network monitoring and detection: Implement network monitoring tools to identify suspicious activities and detect potential intrusions.
• Privilege management: Enforce the principle of least privilege and regularly review and update user privileges.
• Endpoint protection: Deploy advanced endpoint security solutions to detect and mitigate malicious activities.
• Incident response planning: Develop a comprehensive incident response plan to address potential breaches and minimise the impact.
• Information sharing: Collaborate with trusted partners, such as Microsoft and relevant cybersecurity organisations, to share threat intelligence and stay updated on emerging threats.

Cadet Blizzard’s emergence as a distinct Russian threat actor within the ongoing conflict between Russia and Ukraine marks a significant development in the cyber threat landscape. Their destructive operations, targeting of government organisations and IT service providers, and hack-and-leak activities pose a serious risk to regional and global security.

Implementing robust security measures such as regular patching, web server hardening, network monitoring, privilege management, and advanced endpoint protection is crucial in defending against Cadet Blizzard’s operations. Developing comprehensive incident response plans and collaborating with trusted partners for information sharing and threat intelligence are also vital steps in safeguarding against this evolving threat landscape.