Security news that informs and inspires

Microsoft Identifies Distinct Russian GRU Threat Actor


Researchers with Microsoft have detailed the threat actor behind the destructive WhisperGate malware - deployed in January 2022 attacks against several Ukrainian organizations - and identified the group as a distinct team linked to Russia’s GRU military intelligence service.

The group, called Cadet Blizzard (previously tracked by Microsoft as DEV-0586), is known for its operations that likely support broader military objectives in Ukraine. Of particular interest was the group’s deployment of WhisperGate a month before Russia invaded Ukraine, which was widely publicized both by the U.S. government and researchers alike. WhisperGate is disguised as ransomware but is actually designed to wipe the Master Boot Record (MBR) of infected computers and delete all their data.

Microsoft has also linked Cadet Blizzard to the series of known defacements of Ukrainian organizations' websites in January 2022 and a forum called “Free Civilian” where data exfiltrated from compromised Ukrainian organizations was leaked.

“Microsoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022,” said Microsoft researchers in a Wednesday analysis. “We assess that they have been operational in some capacity since at least 2020 and continue to perform network operations through the present. Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia’s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas.”

Microsoft said that the emergence of a new threat actor that is affiliated with Russia’s General Staff Main Intelligence Directorate (GRU) is “a notable development in the Russian cyber threat landscape.” Previously, a limited number of threat groups have been affiliated with the GRU. These have included Strontium (also known as Fancy Bear, APT28 and Forest Blizzard) and Iridium (also known as Seashell Blizzard).

“Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.”

While Cadet Blizzard’s operations are less prolific than the operations of these more established threat actors, its attacks are significant in that they are structured around impact, disrupting network operations and exposing sensitive data, said Microsoft.

“Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion,” said researchers. “While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard.”

While Microsoft observed Cadet Blizzard’s campaigns peak between January and June 2022, the group has compromised several Eastern European entities in the government and technology sectors as early as April 2021, and is believed to have started operations in 2020. Victims in Central Asia and Latin America, have also been targeted.

More recently, the group re-emerged in January 2023 with attacks, including website defacements, against several entities across Ukraine and in Europe. Microsoft also assessed that Cadet Blizzard was behind a February 2023 attempted attack against a Ukrainian state information system, reported by CERT-UA. Finally, the group this year has also established a new Telegram channel under the “Free Civilian” moniker previously used by its hack-and-leak forum. While the public channel has only 1.3K followers, signifying low user interaction, the new channel suggests that the group intends to continue launching information-related operations, said Microsoft researchers.

While stolen legitimate credentials were likely used for initial access to access the target networks in the January 2022 WhisperGate attacks, Microsoft said that Cadet Blizzard has a number of initial access tactics, typically exploiting web servers found on network perimeters and DMZs. The group has also exploited vulnerabilities like ones in Confluence (CVE-2021-26084) and Exchange (CVE-2022-41040 and ProxyShell).

“Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets’ off-business hours,” said researchers. “Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.”