Since April 2023, Microsoft has identified a threat group named Cadet Blizzard and has recently attributed it to Russia’s Main Directorate of the General Staff of the Armed Forces, also known as GRU; Microsoft has previously linked this GRU hacking group to the WhisperGate data-wiping attacks in Ukraine that began on January 13, 2022, over a month prior to the Russian invasion of Ukraine in February 2022.
In addition, Cadet Blizzard was responsible for the defacement of Ukrainian websites in early 2022, as well as various hack-and-leak operations that were advertised on a relatively inactive Telegram channel called ‘Free Civilian.’
According to Microsoft, Cadet Blizzard is believed to have commenced its operations in 2020, with a focus on targeting government services, law enforcement agencies, non-governmental organizations, IT service providers/consulting firms, and emergency services in Ukraine; Microsoft has linked the group to the Russian General Staff Main Intelligence Directorate (GRU), but notes that it is distinct from other known GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM), and has also revealed that Cadet Blizzard had created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations a month before the Russian invasion of Ukraine.
Microsoft has observed that the success rate of Cadet Blizzard’s attacks is comparatively lower than that of other GRU-affiliated hacking groups, such as APT28 (Strontium, Fancy Bear) and Sandworm (Iridium); although Cadet Blizzard ceased its operations after June 2022, it re-emerged in early 2023, with some of its recent cyber operations achieving occasional success, but it still failed to match the impact of the attacks carried out by other GRU-affiliated groups.
Following the defacements and data-wiping attacks in 2022, the GRU hacking group has been responsible for a continuous stream of attacks directed at Ukrainian government organizations and IT providers, starting from February 2023; for instance, Microsoft has linked at least one incident in a series of breaches reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in February, revealing that it discovered evidence of backdoors planted by Russian state hackers on multiple government websites following breaches that date back to December 2021.
CERT-UA has attributed the attacks to Ember Bear, a group that it believes has been operational since March 2021, targeting Ukrainian organizations with information stealers, backdoors, and data wipers that are disguised as ransomware and primarily delivered through phishing emails.
Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust, has stated that Cadet Blizzard operates continuously throughout the week and carries out its activities during the off-business hours of its primary targets to minimize the likelihood of detection. Furthermore, Cadet Blizzard not only targets Ukraine but also directs its attention to NATO member states that are involved in providing military assistance to Ukraine.
#Hacking #Cyberattacks #Microsoft #RussianGRU #CadetBlizzard
