Microsoft announced Wednesday that a state-sponsored threat group it has been tracking since January 2022 is a new advanced persistent threat (APT) group linked with Russia’s military intelligence agency, the GRU.
Formerly tracked as DEV-0586, Microsoft elevated and named the group Cadet Blizzard to follow its new naming conventions for state-sponsored groups its researchers track by giving them names associated with weather events. For example, APT groups from Russia and China have “blizzard” in their names, while Iranian groups have “sandstorm” in their names.
Cadet Blizzard was observed creating and deploying the WhisperGate malware a month before Russia’s invasion of its neighbor Ukraine. WhisperGate is among the so-called “wiper” malware cybersecurity firms observed Russia using against the Ukraine government, and U.S. government agencies have warned organizations about the malware since the invasion in early 2022.
Microsoft Threat Intelligence described WhisperGate as having “a destructive capability that wipes Master Boot Records (MBRs)” and is intended to delete data and make systems inoperable.
Cadet Blizzard is structured to expose sensitive information through targeted hack-and-leak operations, but is not considered to be as prolific in scale and scope as its more established Russian brethren, the blog noted.
A Microsoft Threat Intelligence employee who goes by the name “Justin” on Twitter (@sixdub), said: “The group has been tasked with high profile destructive attacks and information ops. We were surprised to see a novel group w/ this remit.” Justin went on to say other Russian groups shouldn’t be jealous of Cadet Blizzard as it has had limited success and its overall novelty and immaturity shows in their intrusions.
Cadet Blizzard has primarily targeted Ukrainian government organizations and information technology providers, but Microsoft said organizations in Europe and Latin America have also fallen victim to the group. Microsoft Threat Intelligence assessed tha member states in the NATO alliance involved in providing military aid to Ukraine are at greater risk.
Its activity peaked between January and June 2022, and increased operations again in January 2023 against Ukraine and Europe with website defacements and a “Free Civilian” Telegram channel after a period of reduced activity.
The group consistently targets information tech providers and software developers providing services to government organizations using supply chain “compromise one, compromise many” techniques, according to Microsoft. It commonly uses living-off-the-land techniques after gaining initial access to move laterally through networks, collect credentials and other information, and deploys evasion techniques.
“Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation,” the theat intel team wrote.
For more on Cadet Blizzard’s techniques, tactics and procedures (TTPs), see Microsoft’s security blog here.
