A threat actor that played a key role in the leadup to the Russian invasion of Ukraine was identified on June 14. Activity from the "Cadet Blizzard" advanced persistent threat (APT) peaked from January to June of last year, helping to pave the way for military invasion.
Microsoft detailed the activity in a blog post. Most notable among the APT's actions were a campaign to deface Ukrainian government websites, and a wiper known as "WhisperGate" that was designed to render computer systems completely inoperable.
These attacks "prefaced multiple waves of attacks by Seashell Blizzard" — another Russian group — "that followed when the Russian military began their ground offensive a month later," Microsoft explained.
Microsoft connected Cadet Blizzard with Russia's military intelligence agency, the GRU.
Identifying the APT is a step towards fighting Russian state-sponsored cybercrime, says Timothy Morris, chief security advisor at Tanium, "however, it is always more important to focus on the behaviors and tactics, techniques, and procedures (TTPs) and not solely upon who is doing the attacking."
Cadet Blizzard's Behaviors & TTPs
Generally, Cadet Blizzard gains initial access to targets through commonly known vulnerabilities in Internet-facing Web servers like Microsoft Exchange and Atlassian Confluence. After compromising a network, it moves laterally, harvesting credentials and escalating privileges, and using Web shells to establish persistence before stealing sensitive organizational data or deploying extirpative malware.
The group doesn't discriminate in its end goals, aiming for "disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," Microsoft explained.
But rather than being a jack of all trades, Cadet is more like a master of none. "What's perhaps most interesting about this actor," Microsoft wrote of the APT, "is its relatively low success rate compared with other GRU-affiliated actors like Seashell Blizzard [Iridium, Sandworm] and Forrest Blizzard (APT28, Fancy Bear, Sofacy, Strontium]."
For example, compared to wiper attacks attributed to Seashell Blizzard, Cadet's WhisperGate "affected an order of magnitude fewer systems and delivered comparatively modest impact, despite being trained to destroy the networks of their opponents in Ukraine," Microsoft explained. "The more recent Cadet Blizzard cyber operations, although occasionally successful, similarly failed to achieve the impact of those conducted by its GRU counterparts."
All this considered, it's no surprise that the hackers also "appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups," Microsoft found.
What to Expect From the Cadet Blizzard APT
Though centered on matters related to Ukraine, Cadet Blizzard operations aren't particularly focused.
Besides deploying its signature wiper and defacing government websites, the group also operates a hack-and-leak forum called "Free Civilian." Outside of Ukraine, it has attacked targets elsewhere in Europe, Central Asia, and even Latin America. And besides government agencies, it often targeted IT service providers and software supply chain manufacturers, as well as NGOs, emergency services, and law enforcement.
But while they may have a messier operation in certain ways, Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, warns that Cadet Blizzard is still a fearsome APT.
"Their goal is destruction, so organizations absolutely need to be equally worried about them, as they would other actors, and take proactive measures like turning on cloud protections, reviewing authentication activity and enabling multifactor authentication (MFA) to protect against them," she says.
For his part, Morris recommends that organizations "start with the basics: strong authentication — MFA,FIDO keys where necessary — implement principle of least privilege; patch, patch, patch; ensure your security controls and tools are present and working; and train users frequently."