Security researchers at Microsoft are publicly outing a new APT group linked to Russia’s General Staff Main Intelligence Directorate (GRU), warning that the threat actor has worked on destructive wiper malware attacks that hit organizations in Ukraine.
A new report from Redmond’s threat intelligence team tagged the group as ‘Cadet Blizzard’ and documented signs and evidence that adds clarity to the scope and usage of malware in a wartime environment.
“[The] emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” Microsoft said, noting that Cadet Blizzard produced the infamous WhisperGate wiper malware that wiped the Master Boot Record (MBR) of computers in Ukraine.
Microsoft is also, for the first time, linking the Russian APT group to defacements on multiple Ukrainian organization websites and the hack-and-leak Telegram channel known as “Free Civilian”.
The company said its threat intel team has been tracking the group since the release of the WhisperGate wiper in January 2022 and believes it was operational in some capacity since 2020.
“Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia’s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas,” Microsoft said.
Primary targeted sectors include government organizations and information technology providers in Ukraine and even organizations in Europe and Latin America.
The researchers found that the actor compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions.
Microsoft described some of Cadet Blizzard’s work as “haphazard” and said it discovered evidence that at least one Russian private sector organization has materially supported the hackers by providing operational support during the WhisperGate destructive attack.
“Cadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain “compromise one, compromise many” technique,” Microsoft noted.
Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits
Related: Symantec, Microsoft Share Notes on Russian Hacks Hitting Ukraine
Related: Microsoft Announces Disruption of Russian Espionage APT
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- CrowdStrike to Acquire Application Intelligence Startup Bionic
Latest News
- Silverfort Open Sources Lateral Movement Detection Tool
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
