Contents:
Security researchers have made a public disclosure about the identification of a new Advanced Persistent Threat (APT) group associated with Russia’s General Staff Main Intelligence Directorate (GRU). The experts have issued a warning, revealing that this threat actor has been involved in destructive wiper malware attacks on various organizations in Ukraine.
In a recent report, Microsoft’s threat intelligence team has named the group as ‘Cadet Blizzard’ and provided detailed evidence and insights into the extent and usage of malware within a wartime context.
The emergence of this new GRU-affiliated actor is a significant development in the Russian cyber threat landscape, according to the report. Cadet Blizzard is responsible for developing the notorious WhisperGate wiper malware, which targeted the Master Boot Record (MBR) of computers in Ukraine.
The researchers have established a direct connection between the Russian APT group and the defacement of multiple Ukrainian organization websites, as well as the “Free Civilian” hack-and-leak Telegram channel.
Analyzing Cadet Blizzard
Cadet Blizzard has been monitored since the release of the WhisperGate wiper in January 2022, yet the group is believed to have been operational since 2020.
According to Microsoft, the APT’s operations align with the goals and objectives of GRU-led activities during Russia’s invasion of Ukraine. The group has engaged in focused destructive attacks, espionage, and information operations in strategically important regions.
The primary targets of Cadet Blizzard include government organizations and information technology providers in Ukraine, with some incidents affecting organizations in Europe and Latin America as well.
Cadet Blizzard Operations
Cadet Blizzard gains initial access to targets through commonly known vulnerabilities in Internet-facing Web servers. Once a network is compromised, the malware moves laterally, harvesting credentials and escalating privileges, and using Web shells to establish persistence before stealing sensitive organizational data.
Microsoft characterized certain aspects of Cadet Blizzard’s operations as “haphazard” and revealed evidence indicating that at least one Russian private sector entity has actively supported the hackers by providing operational assistance during the WhisperGate attack.
Cadet Blizzard has displayed a consistent pattern of targeting information technology providers and software developers that offer services to government organizations. They employ a technique known as “compromise one, compromise many,” exploiting the supply chain to gain access to multiple interconnected entities.
You can read the complete report here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.