Cadet Blizzard

Threat Actor updated 4 months ago (2024-06-27T17:17:36.836Z)

Download STIX

Preview STIX

Cadet Blizzard, a threat actor group associated with Russia's GRU military intelligence unit, has been identified by Microsoft as the perpetrator of destructive cyber attacks in Ukraine using wiper malware. The group has been active since at least 2020 and has recently gained some success, according to Microsoft researchers. Notably, Cadet Blizzard was attributed to the WhisperGate attacks in mid-2023, which were part of the cyber onslaught leading up to Russia's invasion of Ukraine. Furthermore, Cadet Blizzard is linked to defacements of Ukrainian organization websites and the hack-and-leak Telegram channel “Free Civilian.” The group has demonstrated a comprehensive approach to its activities, maintaining networks at risk of continued compromise for extended periods. Cadet Blizzard reportedly conducted lateral movement within compromised networks using obtained credentials and modules from the Impacket framework. Command and control (C2) was achieved via socket-based tunneling utilities and occasionally Meterpreter. The group has received support from at least one Russian private sector organization and has targeted government organizations and IT providers in Ukraine, Europe, and Latin America. From a technical standpoint, Cadet Blizzard predominantly achieved initial access by exploiting web servers and vulnerabilities in Confluence servers, Exchange servers, and open-source platforms. The group utilized various types of malware, including Clop and LEMURLOOT, and employed techniques such as SQL injection. The group also exploited several vulnerabilities, including CVE-2023-34362, CVE-2023-35036, CVE-2023-35708, CVE-2023-34363, and CVE-2023-34364. The primary targets of these attacks were systems running MOVEit Transfer software on Windows, with the US, UK, and Canada being the most affected countries.

Description last updated: 2024-06-27T17:15:56.094Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Blizzard

Microsoft

Apt

Confluence

Malware

Wiper

Ukraine

State Sponso...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The WhisperGate Malware is associated with Cadet Blizzard. WhisperGate is a destructive malware that has been employed by threat actors since 2020, with its first known deployment against Ukrainian organizations occurring in January 2022. These actors have used the malware to damage computer systems and render them inoperable, targeting not only Ukraine but	Unspecified	4

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Seashell Blizzard Iridium Threat Actor is associated with Cadet Blizzard. Seashell Blizzard Iridium, also known as Sandworm, is a threat actor reportedly comprised of Russian military intelligence officers. This group has been identified as distinct from other Advanced Persistent Threat (APT) groups associated with the Russian military intelligence GRU, such as Forest Bli	Unspecified	2
The STRONTIUM Threat Actor is associated with Cadet Blizzard. Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other names, is a threat actor linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2007, the group has targeted governments, militaries, and security organizations worldwide. Strontium's	Unspecified	2
The Seashell Blizzard Threat Actor is associated with Cadet Blizzard. Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the	Unspecified	2

Source Document References

Information about the Cadet Blizzard Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	4 months ago	Russian Indicted for Wiper Malware Campaign Against Ukraine
DARKReading	9 months ago	Ukraine Military Targeted With Russian APT PowerShell Attack
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
CERT-EU	a year ago	Cyber Attacks by Non-State Actors Continue Astride in Europe
InfoSecurity-magazine	a year ago	Microsoft Names Russian Threat Actor
DARKReading	a year ago	Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks
CERT-EU	a year ago	New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
Securityaffairs	a year ago	Microsoft links Cadet Blizzard APT to Russia military intel GRU
CERT-EU	a year ago	Russia sent its reserve team to wipe Ukrainian hard drives
CERT-EU	a year ago	Cybersecurity hotlines at colleges could go a long way toward filling the skills gap
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU	a year ago	Cyber Security Today, Week in Review for the week ending Friday, June 16, 2023 \| IT World Canada News
CERT-EU	a year ago	Pro-Russian hackers remain active amid Ukraine counteroffensive