Seashell Blizzard Iridium

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Seashell Blizzard Iridium, also known as Sandworm, is a threat actor reportedly comprised of Russian military intelligence officers. This group has been identified as distinct from other Advanced Persistent Threat (APT) groups associated with the Russian military intelligence GRU, such as Forest Blizzard (also known as Strontium, APT28, and Fancy Bear) and Cadet Blizzard. Seashell Blizzard Iridium has conducted a series of disruptive cyber operations, often under the guise of ransomware attacks, to support broader military objectives, particularly in Ukraine. At CYBERWARCON 2022, Microsoft highlighted the development of a novel "ransomware" strain, Prestige, by Seashell Blizzard Iridium. This cyberattack was designed to cause significant disruption while providing plausible deniability for the sponsoring organization. The attack impacted organizations in Ukraine and Poland, further indicating the group's focus on this region. Despite these activities, Microsoft noted that Seashell Blizzard Iridium's success rate was relatively low compared to other GRU-affiliated actors. In addition to the ransomware attacks, Seashell Blizzard Iridium has been implicated in other malicious activities. These include the WisperGate data-wiping attacks that began on January 13, 2022, over a month before Russia invaded Ukraine. The group has also been linked to a series of defacements of Ukrainian organization websites and various operations, including the hack-and-leak forum known as "Free Civilian." It's important to note that despite their common affiliation with the GRU, the operations of Cadet Blizzard are separate from those of well-established hacker groups like Forest Blizzard (Strontium) and Seashell Blizzard (Iridium).
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sandworm
2
Sandworm, a threat actor linked to Russia, is known for its malicious cyber activities. These actions have been characterized by significant breaches and disruptions, primarily targeting Ukrainian entities. This group has demonstrated advanced capabilities, including the use of fileless attacks as d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
State Sponso...
Wiper
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WhisperGateUnspecified
1
WhisperGate is a type of malware, specifically a wiper, that was used extensively in cyberattacks against Ukrainian organizations throughout 2022. It was one of several malicious software tools deployed by Russian Advanced Persistent Threat (APT) actors, alongside others such as AwfulShred, CaddyWip
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cadet BlizzardUnspecified
2
Cadet Blizzard, a threat actor group associated with Russia's GRU military intelligence unit, has been identified by Microsoft as the perpetrator of destructive cyber attacks in Ukraine using wiper malware. The group has been active since at least 2020 and has recently gained some success, according
Forest BlizzardUnspecified
1
Forest Blizzard, also known as APT28, Fancy Bear, and Strontium, is a threat actor linked to the Russian General Staff Main Intelligence Directorate (GRU) and the 85th Main Special Service Center (GTsSS). The group has been involved in persistent espionage campaigns against European countries, which
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
Seashell BlizzardUnspecified
1
Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Seashell Blizzard Iridium Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Microsoft shares threat intelligence at CYBERWARCON 2023 | Microsoft Security Blog
CERT-EU
a year ago
Russia sent its reserve team to wipe Ukrainian hard drives
DARKReading
a year ago
Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks
CERT-EU
a year ago
New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine
Securityaffairs
a year ago
Microsoft links Cadet Blizzard APT to Russia military intel GRU