Microsoft on Wednesday opened the lid on a “novel and distinct Russian threat actor,” which it said had ties to the General Staff Intelligence Unit (GRU) and said it had a “relatively low success rate.”
The tech giant’s threat intelligence team previously tracked the group under a new name DEV-0586graduated from it and became a famous actor dubbed cadet blizzard.
“Cadet Blizzard seeks to disrupt, disrupt, and gather information using every means available, sometimes in haphazard ways,” the company said.
“The group poses a high risk of destructive activity, but appears to operate at a lower level of operational security than older, more advanced Russian groups such as Seashell Blizzard and Forest Blizzard. .”
Cadet Blizzard first came to light in January 2022 in connection with destructive cyber activity targeting Ukraine using a new wiper malware called WhisperGate (aka PAYWIPE) in the weeks leading up to Russia’s military invasion became.
According to Microsoft, this state-sponsored attacker has a track record of orchestrating destructive attacks, espionage, and intelligence operations against organizations based in Ukraine, Europe, Central Asia, and regularly in Latin America. I’m here.
Intrusions by Cadet Blizzard are suspected to have been active in some form since at least 2020 and primarily focus on government agencies, law enforcement, non-profit and non-governmental organizations, IT service providers, and emergency services.
“Cadet Blizzard is active 24 hours a day, 7 days a week, and operates outside business hours of its primary targets when its activity is less likely to be detected,” Microsoft’s Tom Burt said. “In addition to Ukraine, we also focus on NATO member states involved in military aid to Ukraine.”
Cadet Blizzard also overlaps with groups monitored by the broader cybersecurity community under the names Ember Bear (CrowdStrike), FROZENVISTA (Google TAG), Nodaria (Symantec), TA471 (Proofpoint), and UAC-0056 (CERT-UA). It is worth noting that UNC2589 (Google Mandiant).
Besides WhisperGate, the hacking team is known to wield a host of other weapons, including SaintBot, OutSteel, GraphSteel, GrimPlant, and most recently Graphiron. Microsoft has attributed SaintBot and his OutSteel to a related activity cluster labeled Storm-0587.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“Cadet Blizzard is also involved in multiple activities, including defacement of several Ukrainian organization websites and a hacking leak forum known as ‘Free Civilian,'” Microsoft added.
Other notable tradecraft include Living Off, to achieve lateral movement after gaining initial access, gather credentials and other information, and deploy tools to facilitate defense evasion and persistence. -It involves using The Land (LotL) technique.
Cyber-attacks are carried out by exploiting known flaws in public-facing web servers (such as Atlassian Confluence and Microsoft Exchange Server) and content management systems.
“As the war continues, Cadet Blizzard’s activities increase the risk of successful attacks against the broader European community, particularly governments and IT service providers, which could allow attackers to target Western operations around the conflict. It can provide tactical and strategic level insight into policy and policy,” Microsoft said.
