Microsoft’s threat intelligence team has released a report linking destructive WisperGate wiper attacks that targeted Ukrainian government organizations to Cadet Blizzard (formerly DEV-0586), a Russian state-sponsored threat actor associated with the Russian General Staff Main Intelligence Directorate (GRU).
Besides WisperGate data-wiping attacks that started on January 13, 2022, more than a month before Russia invaded Ukraine, the group was also behind a series of defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as “Free Civilian.”
Microsoft says that Cadet Blizzard’s operations are separate from other known and well-established GRU-linked hacker groups like Forest Blizzard (Strontium) and Seashell Blizzard (Iridium). It also notes that the group’s campaigns are less prolific in both scale and scope with a lower degree of operational security.
The threat actor is said to have been active since at least 2020, mainly focusing on destructive attacks, espionage, and information operations in regionally significant areas.
“Cadet Blizzard’s operations are global in scope but consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America. Cadet Blizzard likely prioritizes target networks based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact,” Microsoft said.
The threat actor breaches and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. The group uses living-off-the-land techniques after gaining initial access to move laterally through the network, collect credentials and other data, and deploy persistence mechanisms and techniques that allow them to evade detection.
The group gains initial access by exploiting vulnerabilities in web servers commonly found on network perimeters. Cadet Blizzard is also known for exploiting Confluence servers via the CVE-2021-26084 flaw, Exchange servers through multiple bugs including CVE-2022-41040 and ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), and security issues in various open-source platforms such as content management systems.
While other Russia-linked state-backed hacker groups prefer to remain undetected, Cadet Blizzard’s operations are extremely disruptive likely meant to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation, Microsoft noted.