Rewterz Threat Alert – Russian GRU-Linked APT Group Identified in Data Wiping Attacks – Active IOCs

Severity

High

Analysis Summary

Researchers attributed the operations of a Russia-linked APT group, known as Cadet Blizzard, to the Russian General Staff Main Intelligence Directorate (GRU). This distinction is important because Cadet Blizzard is considered distinct from other APT groups under the control of the Russian military intelligence GRU, such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM).

What sets Cadet Blizzard apart from other Russia-linked APT groups is the level of disruption caused by their operations. Microsoft highlights that Cadet Blizzard’s activities are highly disruptive in nature. They engage in operations that involve significant damage and disruption, including wiping attacks, which intentionally destroy or delete data on targeted systems.

The Microsoft Threat Intelligence Center (MSTIC) initially identified Cadet Blizzard as DEV-0586, a threat group engaging in destructive malware attacks against multiple organizations in Ukraine in January 2022. Notably, this activity occurred a month before the invasion of Ukraine, indicating that Cadet Blizzard was active prior to the escalation of the conflict.

Cadet Blizzard gained attention for their creation and deployment of the WhisperGate wiper, a type of malicious software designed to destroy or erase data on targeted systems. In addition to conducting destructive attacks, the group was also observed defacing the websites of several Ukrainian organizations, adding to the disruptive nature of their operations.

The analysts believe that Cadet Blizzard has been active since at least 2020. Their primary targets have been government services, law enforcement agencies, non-profit and non-governmental organizations, IT service providers and consulting firms, as well as emergency services in Ukraine. This indicates a focus on critical sectors and entities involved in governance, security, and public services.

“Cadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.” they published. 

Microsoft has reported a recent increase in the activity of the Cadet Blizzard APT group in January 2023. During this period, the group conducted multiple operations targeting entities in Ukraine as well as in Europe. Researchers have observed that the group maintains an active presence throughout the week, operating seven days a week. Notably, the group tends to carry out their operations during off-business hours of their primary European targets.

The researchers have raised concerns that Cadet Blizzard may potentially target NATO member states that are actively supporting the military operations of the Ukrainian government. This indicates a potential strategic interest in countries involved in supporting Ukraine’s defense and security efforts.

“In addition to Ukraine, it also focuses on NATO member states involved in providing military aid to Ukraine”, they conclude.

Impact

• Web Defacement
• Operational Disruption
• Privacy Breach
• Data Loss

Indicators of Compromise

Domain Name

justiceua.org

IP

179.43.187.33

MD5

• f2013115840359271c1f3e4661091efa
• b514694e7d3baf4e44778a637bd2e872
• eda02ae6dd7d0fe841653f5e6a69d17e
• 0741e5925cf4f36f58974aac8c528d2f
• 0dfb7f25df748957a15448214bac3128

SHA-256

• 3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c
• 20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191
• 3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4
• 23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478
• 7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897

SHA-1

• 3d097196c8dd3bd7fd3d8401def15617a3a64d25
• 8ed315a7cc0e14d9c4f17dba03e736d80e4a77bc
• ddee7a47feb8b70faa4be4c6d112fcf52335ec3d
• a6dee974377212dc7a3f5069b4844dc48ce70275
• cd9c79f7769d1b100f06d1147fddaa9f485f8ef5

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Carefully examine remote access infrastructure authentication logs, particularly focusing on accounts with single-factor authentication. Confirm the legitimacy of activities and investigate any suspicious or anomalous behavior.
• Implement Multifactor Authentication (MFA): Enable MFA for all remote connectivity. This helps mitigate the risk of compromised credentials and ensures an additional layer of security. Consider using password-less solutions like Microsoft Authenticator to enhance account security.
• Activate CFA to safeguard against modification of Master Boot Record (MBR) and Volume Boot Record (VBR). This feature helps protect critical system files from unauthorized changes.
• Prevent lateral movement within the network by blocking process creations originating from PSExec and Windows Management Instrumentation (WMI) commands. This specifically targets the WMIexec component of Impacket, a toolkit often used by attackers.
• Microsoft also suggests activating cloud-delivered protection in Microsoft Defender Antivirus or an equivalent product. This feature, typically enabled by default in Windows, employs cloud-based machine learning to detect and block a wide range of new and unknown attacker tools and techniques.
• By following these mitigation measures, organizations can enhance the security of their information assets and expedite incident response to combat the operations of Cadet Blizzard. It is important to stay vigilant, regularly update security measures, and leverage appropriate tools and technologies to address evolving threats.