15 June 2023

New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine


New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine

Microsoft’s threat intelligence team has released a report linking destructive WisperGate wiper attacks that targeted Ukrainian government organizations to Cadet Blizzard (formerly DEV-0586), a Russian state-sponsored threat actor associated with the Russian General Staff Main Intelligence Directorate (GRU).

Besides WisperGate data-wiping attacks that started on January 13, 2022, more than a month before Russia invaded Ukraine, the group was also behind a series of defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as “Free Civilian.”

Microsoft says that Cadet Blizzard’s operations are separate from other known and well-established GRU-linked hacker groups like Forest Blizzard (Strontium) and Seashell Blizzard (Iridium). It also notes that the group’s campaigns are less prolific in both scale and scope with a lower degree of operational security.

The threat actor is said to have been active since at least 2020, mainly focusing on destructive attacks, espionage, and information operations in regionally significant areas.

“Cadet Blizzard’s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact,” Microsoft said.

The threat actor breaches and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. The group uses living-off-the-land techniques after gaining initial access to move laterally through the network, collect credentials and other data, and deploy persistence mechanisms and techniques that allow them to evade detection.

The group gains initial access by exploiting vulnerabilities in web servers commonly found on network perimeters. Cadet Blizzard is also known for exploiting Confluence servers via the CVE-2021-26084 flaw, Exchange servers through multiple bugs including CVE-2022-41040 and ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), and security issues in various open-source platforms such as content management systems.

While other Russia-linked state-backed hacker groups prefer to remain undetected, Cadet Blizzard’s operations are extremely disruptive likely meant to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation, Microsoft noted.

Back to the list

Latest Posts

Cisco says decade-old bug in ASA appliances exploited in the wild

Cisco says decade-old bug in ASA appliances exploited in the wild

The activity involving CVE-2014-2120 has been linked to the Mozi botnet.
3 December 2024
North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accountsю
3 December 2024
Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

It is believed that the North Korean state-backed threat actor Lazarus Group was behind the hack.
3 December 2024