Microsoft Threat Intelligence has revealed a previously tracked threat actor (DEV-0586). Now known as “Cadet Blizzard”.
In a tech blog post published Wednesday, the tech giant described the emerging threat and shared updates on the techniques, tools and infrastructure of the Russian state-sponsored attacker.
For more information on Microsoft’s previous DEV-0586 findings, see Microsoft Warns of Destructive Malware Campaign Targeting Ukraine.
Microsoft believes that Cadet Blizzard is associated with the Russian Military General Staff Intelligence Directorate (GRU) and operates separately from other known GRU-affiliated groups.
Although the group’s activity is relatively low compared to other threat actors, its destructive campaigns primarily target government agencies and IT providers in Ukraine, with occasional activity in Europe and Latin America.
From a technical perspective, Cadet Blizzard primarily exploited vulnerabilities in web servers, Confluence servers, Exchange servers, and open source platforms to gain initial access.
They then used web shells such as P0wnyshell and reGeorg to achieve network persistence and escalate privileges through persistence techniques and harvested credentials.
“Many TTPs (Tactics, Techniques, Procedures) are shared among threat actors, nation-state and non-state,” comments Timothy Morris, Chief Security Advisor at Tanium.
“In general, the number one indicator of nation-state threat actors is the amount of resources available and the sophistication of how they use TTPs.”
Criminal groups and hacktivists may be financially or politically driven, with overlapping motives, security experts say.
“What this means is that the motives for attacks can be shared.
Cadet Blizzard reportedly used network credentials and modules obtained from the Impacket framework to perform lateral movement, and command and control (C2) was achieved via socket-based tunneling utilities and possibly Meterpreter. I’m here.
To maintain operational security, Cadet Blizzard used anonymization services such as IVPN, SurfShark, and Tor. They employed anti-forensic techniques and carried out destructive acts such as exfiltrating data through Tor sites and Telegram channels, deploying malware, hacking and leaking operations, and manipulating information.
“Activities associated with Cadet Blizzard demonstrate the holistic nature of its approach and demonstrate its ability to expose networks to the risk of continued compromise over time,” Microsoft wrote.
As a result, the company suggested that a thorough incident response approach may be required to effectively respond to and recover from the activities carried out by Cadet Blizzard.
“By focusing on risk areas based on the attacker modus operandi listed in this report, organizations can improve the security of their information assets and speed up incident response.”
