Connect with us

Hi, what are you looking for?



Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Microsoft is publicly exposing a Russian hacking group that worked on destructive wiper malware attacks that hit organizations in Ukraine.

Russian Cyberattacks

Security researchers at Microsoft are publicly outing a new APT group linked to Russia’s General Staff Main Intelligence Directorate (GRU), warning that the threat actor has worked on destructive wiper malware attacks that hit organizations in Ukraine.

A new report from Redmond’s threat intelligence team tagged the group as ‘Cadet Blizzard’ and documented signs and evidence that adds clarity to the scope and usage of malware in a wartime environment.

“[The] emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” Microsoft said, noting that Cadet Blizzard produced the infamous WhisperGate wiper malware that wiped the Master Boot Record (MBR) of computers in Ukraine.

Microsoft is also, for the first time, linking the Russian APT group to defacements on multiple Ukrainian organization websites and the hack-and-leak Telegram channel known as “Free Civilian”.

The company said its threat intel team has been tracking the group since the release of the WhisperGate wiper in January 2022 and believes it was operational in some capacity since 2020.

“Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia’s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas,” Microsoft said.

Primary targeted sectors include government organizations and information technology providers in Ukraine and even organizations in Europe and Latin America.

Advertisement. Scroll to continue reading.

The researchers found that the actor compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions.  

Microsoft described some of Cadet Blizzard’s work as “haphazard” and said it discovered evidence that at least one Russian private sector organization has materially supported the hackers by providing operational support during the WhisperGate destructive attack.

“Cadet Blizzard has repeatedly targeted information technology providers and software developers that provide services to government organizations using a supply chain “compromise one, compromise many” technique,” Microsoft noted.

Related: Microsoft Blames Russian APT for Outlook Zero-Day Exploits

Related: Symantec, Microsoft Share Notes on Russian Hacks Hitting Ukraine

Related: Microsoft Announces Disruption of Russian Espionage APT

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...