Trace Id is missing

Nation State Actor Cadet Blizzard

A close-up of a planet

Cadet Blizzard (DEV-0586) is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022. During this time, Russian troops backed with tanks and artillery were surrounding the Ukrainian border as the military prepared for an offensive attack. The defacements of key Ukrainian institutions’ websites, coupled with the WhisperGate malware, prefaced multiple waves of attacks by Seashell Blizzard (IRIDIUM) that followed when the Russian military began their ground offensive a month later. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted. We assess that Cadet Blizzard has been operational in some capacity since at least 2020 and continues to perform network operations through the present. Cadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. Microsoft observed Cadet Blizzard’s activity peak between January and June 2022, followed by an extended period of reduced activity.

The group re-emerged in January 2023 with increased operations against multiple entities in Ukraine and in Europe, including another round of website defacements and a new “Free Civilian” Telegram channel affiliated with the hack-and-leak front under the same name that first emerged in January 2022, around the same time as the initial defacements. Cadet Blizzard actors are active seven days of the week and have conducted their operations during their primary European targets’ off-business hours. Microsoft assesses that NATO member states involved in providing military aid to Ukraine are at greater risk.

threat-actor-cadet-blizzard-chart-full

Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard (STRONTIUM). Additionally, as is the case with other Russian state-sponsored threat groups, Microsoft assesses that at least one Russian private sector organization has materially supported Cadet Blizzard by providing operational support including during the WhisperGate destructive attack.

Microsoft has been working with CERT-UA closely since the beginning of Russia’s war in Ukraine and continues to support the country and neighboring states in protecting against cyberattacks, such as the ones carried out by Cadet Blizzard. As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations. Review the hunting and mitigation guidelines included in this report to help identify and understand Cadet Blizzard activity.

Also known as:                                                                        Industries targeted:

 

DEV-0586                                                                                  Government

                                         

                                                                                                   Emergency Services

Country of origin:

                                                                                                   Information Technology

Russia

                                                                                                      

 

Countries targeted:

 

Ukraine

 

Europe

 

Central Asia

 

Latin America

Microsoft Threat Intelligence: Recent Cadet Blizzard Articles

Cadet Blizzard emerges as a novel and distinct Russian threat actor