Cadet Blizzard Recognized as the Culprit of Russian Data Wiper Malware
Category: Threat Actor Activity | Industries: Consulting, Emergency Response, Government, Law Enforcement, Technology | Source: Microsoft
Microsoft has designated Russian threat group previously tracked as DEV-0586 to 'Cadet Blizzard' who is responsible for a series of destructive and disruptive cyber operations against Ukraine. "Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," said Microsoft. Their most prominent activity is tied to the development and deployment of the WhisperGate data wiper from January 2022. However, the roots of their activities date back to as early as 2020. The threat group is also responsible for several defacement attacks against Ukrainian websites as well as conducting hack-and-leak operations, which are communicated on the 'Free Civilian' Telegram channel. Multiple industry verticals have been targeted by Cadet Blizzard including entities in consulting, emergency services, government, law enforcement, and technology. The threat group maintains a consistent focus on regions such as Ukraine, Europe, Central Asia, and Latin America, although their operational targets may shift depending on the objectives set by the Russian military.
"Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets’ off-business hours. Microsoft assesses NATO member states involved in providing military aid to Ukraine are at greater risk." Operators from Cadet Blizzard have favored the use of compromised credentials to gain access to exposed servers, web shells, tunneling tools, and “living off the land” techniques to maintain a low profile on target networks. In January and June 2022, seemingly at the height of the Russia and Ukraine conflict, Cadet Blizzard’s activity peaked with a noticeable decrease in activity in the following months. It wasn't until January 2023; Microsoft observed the group resurfacing with the defacement attacks. Whilst Cadet Blizzard is involved with destructive cyber operations, Microsoft notes the group's success rate isn't to the level of Russia's other GRU-affiliated threat groups such as APT28 (Strontium, Fancy Bear), APT29 (Cozy Bear), Gamaredon Group (Shuckworm) and Sandworm (Iridium).
- Credential Access Leads to Impacket/System Tampering
Anvilogic Use Cases:
- Common LSASS Memory Dump Behavior
- Impacket PSexec
- Clear Windows Event Logs