Follow-Up on Cadet Blizzard: New Developments and Insights

In the month leading up to the full-scale Russian invasion of Ukraine in February 2022, Cadet Blizzard launched a series of cyber attacks against numerous Ukrainian government entities. These attacks targeted critical infrastructure, including non-military organisations such as agriculture, education, science, and emergency services. The objective was to disrupt and destroy these systems in advance of the invasion, crippling essential services and spreading chaos.

Tactics: The malware deployed by Cadet Blizzard was designed to masquerade as ransomware. Instead of encrypting data for ransom, the malware deleted it, rendering recovery impossible and causing significant disruption.

One of Cadet Blizzard’s campaigns, known as WhisperGate, involved the theft and online leaking of personal data belonging to thousands of Ukrainian civilians, including sensitive medical records. This campaign aimed to sow distrust in the Ukrainian government by exposing and exploiting citizens’ private information.

Cadet Blizzard’s operations extended beyond Ukraine, targeting countries that supported Ukraine during the conflict. In October 2022, the group hacked the transportation infrastructure of a Central European country that had provided civilian and military aid to Ukraine.

The group also probed systems in the United States, including multiple sites maintained by a U.S. government agency located in Maryland. These reconnaissance activities were likely aimed at identifying vulnerabilities for potential future exploitation.

Cadet Blizzard’s operations are supported by a network of computers scattered worldwide, rented using cryptocurrency. This infrastructure allows the group to execute attacks from various geographical locations, making detection and attribution challenging.

Amin Stigal played a role in setting up online infrastructure for GRU officers. This infrastructure was used to scan the internet for vulnerable devices, which were then exploited to gain unauthorised access. Once inside, they stole files and programs, enhancing their capabilities and resources.

From September 17, 2021, through January 28, 2022, Stigal created five accounts on a messaging and VOIP platform located in the United States, referred to as Company 1. Cadet Blizzard uploaded more than 225 files, including malware scripts, to Company 1’s servers using these accounts. On August 19, 2021, the group scanned over 2400 public-facing Ukrainian government websites for vulnerabilities, setting the stage for future attacks.

On January 13, 2022, Cadet Blizzard launched a massive assault on at least two dozen Ukrainian government networks. The targets included high-profile entities such as the Ministry of Internal Affairs, State Treasury, Judiciary Administration, the State Portal for Digital Services (DIIA), the Ministry of Education and Science, the Ministry of Agriculture, the State Service for Food Safety and Consumer Protection, the Ministry of Energy, the Accounting Chamber of Ukraine, the State Emergency Service, the State Forestry Agency and Motor Insurance Bureau. This attack saw the deployment of WhisperGate, a multi-stage malware designed to inflict maximum damage.

• First Stage: WhisperGate wiped the Master Boot Record of infected devices and dropped a ransom note to pose as ransomware.
• Second Stage: The malware sent a GET request to a URL maintained by Company 1, downloading and executing a program from an account created by Cadet Blizzard. This corrupted the files on the target computer, rendering it inoperable.

On January 13, 2022, Cadet Blizzard compromised computers hosting the DIIA and other websites, displaying a message in Polish, Russian, and Ukrainian: “Ukrainians! All Information about you has become public, be afraid and expect the worst. This is for your past, present and future.” Within hours, the group released stolen data from the Ukrainian government on dark web forums, using the moniker “Free Civilian.” The data included criminal records, patient health data, and information from the Motor Insurance Bureau. They also offered the data of 13.5 million DIIA users for $80,000.

In October 2022, Cadet Blizzard targeted a Central European country’s transportation sector, a supporter of Ukraine that had provided civilian and military aid. Cadet Blizzard successfully gained access to its computer networks.

The GRU’s modus operandi extends beyond cyber espionage. Cadet Blizzard’s attacks aim to cause real-world impacts. They destroy systems, leak sensitive data, sell it on the dark web, and post messages to ensure the victims know about it. This approach maximises disruption to Ukrainian government operations and sows discord and fear among the population. The timing of these attacks, notably before the Russian invasion of Ukraine, highlights their strategic intent to destabilize the region and undermine trust in government institutions.

Cryptocurrency has become a common tradecraft in state-sponsored cyber operations. Cadet Blizzard, along with other GRU-affiliated groups like APT28 and Sandworm, maintains pools of cryptocurrency to rent servers worldwide. This allows them to execute attacks from various geographical locations, complicating attribution and tracking efforts by cybersecurity professionals and law enforcement agencies.

Scanning the internet for vulnerabilities is a routine practice for groups like Cadet Blizzard. They exploit these weaknesses to gain unauthorised access to systems and networks. Organisations must prioritize patch management, especially for internet-facing devices, to mitigate this risk. Regularly updating and patching systems can prevent attackers from exploiting known vulnerabilities.

Effective cybersecurity defense requires vigilant monitoring for unusual activities. This includes:

• Unexpected Account Creations: Monitor for the creation of new accounts that are not part of regular administrative activities. Such accounts could indicate an ongoing or impending attack.
• Unusual Uploads and Downloads: Keep an eye on unexpected uploads and downloads. Large volumes of data being transferred to or from your network could signal data exfiltration or the deployment of malware.

The GRU’s cyber operations, as demonstrated by Cadet Blizzard, underscore the need for robust and proactive cybersecurity measures. Their ability to cause real-world impact through cyber attacks calls for heightened vigilance and strategic defence mechanisms. By understanding their tactics and focusing on key areas like patch management and activity monitoring, organisations can better protect themselves against these persistent and evolving threats.