Security researchers at Microsoft are publicly outing a new APT group linked to Russia’s General Staff Main Intelligence Directorate (GRU), warning that the threat actor has worked on destructive wiper malware attacks that hit organizations in Ukraine.
A new report from Redmond’s threat intelligence team tagged the group as ‘Cadet Blizzard’ and documented signs and evidence that adds clarity to the scope and usage of malware in a wartime environment.
“[The] emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” Microsoft said, noting that Cadet Blizzard produced the infamous WhisperGate wiper malware that wiped the Master Boot Record (MBR) of computers in Ukraine.
Microsoft is also, for the first time, linking the Russian APT group to defacements on multiple Ukrainian organization websites and the hack-and-leak Telegram channel known as “Free Civilian”.
The company said its threat intel team has been tracking the group since the release of the WhisperGate wiper in January 2022 and believes it was operational in some capacity since 2020.
“Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia’s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas,” Microsoft said.
Primary targeted sectors include government organizations and information technology providers in Ukraine and even organizations in Europe and Latin America.
The researchers found that the actor compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions.
Microsoft described some of Cadet Blizzard’s work as “haphazard” and said it discovered evidence that at least one Russian private sector organization has materially supported the hackers by providing operational support during the WhisperGate destructive attack.
“Cadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain “compromise one, compromise many” technique,” Microsoft noted.