A significant threat actor known as “Cadet Blizzard” has been identified as playing a crucial role in the lead-up to the Russian invasion of Ukraine. Microsoft recently released a blog post detailing the activity of this advanced persistent threat (APT), which was most active between January and June of the previous year. The actions of Cadet Blizzard contributed to the military invasion by conducting a campaign to deface Ukrainian government websites and deploying a destructive wiper known as “WhisperGate.”
According to Microsoft, Cadet Blizzard’s attacks preceded multiple waves of attacks by another Russian group called Seashell Blizzard, which coincided with the Russian military’s ground offensive. The tech giant also connected Cadet Blizzard with Russia’s military intelligence agency, the GRU.
While the identification of Cadet Blizzard is a step forward in combating Russian state-sponsored cybercrime, experts emphasize the need to focus on the behaviors and tactics employed by these threat actors. Timothy Morris, chief security advisor at Tanium, believes that understanding their techniques and procedures (TTPs) is more crucial than solely identifying the perpetrators.
In terms of Cadet Blizzard’s behaviors and TTPs, the group primarily gains access to targets through well-known vulnerabilities in Internet-facing web servers like Microsoft Exchange and Atlassian Confluence. Once inside a compromised network, they move laterally, exploiting credentials and escalating privileges. They establish persistence using web shells before either stealing sensitive organizational data or deploying destructive malware.
Microsoft noted that Cadet Blizzard is not selective about its end goals, aiming for disruption, destruction, and information collection by any means available. However, unlike other GRU-affiliated actors such as Seashell Blizzard and Forrest Blizzard, Cadet Blizzard has a relatively low success rate. For example, their WhisperGate wiper attack impacted significantly fewer systems compared to Seashell Blizzard’s wiper attacks.
Moreover, Cadet Blizzard’s cyber operations have generally failed to achieve the same level of impact as their GRU counterparts. Microsoft also found that these hackers operate with lower operational security than more advanced Russian groups.
While Cadet Blizzard’s operations primarily focus on Ukraine, they are not limited to this region. The group has targeted organizations in Europe, Central Asia, and Latin America. They have attacked various entities, including government agencies, IT service providers, software supply chain manufacturers, NGOs, emergency services, and law enforcement.
Despite their less sophisticated approach, Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, warns that Cadet Blizzard is still a formidable APT. The group’s destructive goals make them a significant concern for organizations. DeGrippo recommends implementing proactive measures such as turning on cloud protections, reviewing authentication activity, and enabling multifactor authentication (MFA) to defend against them.
In conclusion, the identification of Cadet Blizzard marks progress in the fight against Russian state-sponsored cybercrime. By understanding their behaviors and tactics, organizations can better protect themselves against this APT. While Cadet Blizzard may not have the same level of success as other Russian groups, their destructive capabilities should not be underestimated. It is crucial for organizations to prioritize strong authentication, patch management, and user training to mitigate the risk posed by these threat actors.