Researchers attributed the operations of a Russia-linked APT group, known as Cadet Blizzard, to the Russian General Staff Main Intelligence Directorate (GRU). This distinction is important because Cadet Blizzard is considered distinct from other APT groups under the control of the Russian military intelligence GRU, such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM).
What sets Cadet Blizzard apart from other Russia-linked APT groups is the level of disruption caused by their operations. Microsoft highlights that Cadet Blizzard’s activities are highly disruptive in nature. They engage in operations that involve significant damage and disruption, including wiping attacks, which intentionally destroy or delete data on targeted systems.
The Microsoft Threat Intelligence Center (MSTIC) initially identified Cadet Blizzard as DEV-0586, a threat group engaging in destructive malware attacks against multiple organizations in Ukraine in January 2022. Notably, this activity occurred a month before the invasion of Ukraine, indicating that Cadet Blizzard was active prior to the escalation of the conflict.
Cadet Blizzard gained attention for their creation and deployment of the WhisperGate wiper, a type of malicious software designed to destroy or erase data on targeted systems. In addition to conducting destructive attacks, the group was also observed defacing the websites of several Ukrainian organizations, adding to the disruptive nature of their operations.
The analysts believe that Cadet Blizzard has been active since at least 2020. Their primary targets have been government services, law enforcement agencies, non-profit and non-governmental organizations, IT service providers and consulting firms, as well as emergency services in Ukraine. This indicates a focus on critical sectors and entities involved in governance, security, and public services.
“Cadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.” they published.
Microsoft has reported a recent increase in the activity of the Cadet Blizzard APT group in January 2023. During this period, the group conducted multiple operations targeting entities in Ukraine as well as in Europe. Researchers have observed that the group maintains an active presence throughout the week, operating seven days a week. Notably, the group tends to carry out their operations during off-business hours of their primary European targets.
The researchers have raised concerns that Cadet Blizzard may potentially target NATO member states that are actively supporting the military operations of the Ukrainian government. This indicates a potential strategic interest in countries involved in supporting Ukraine’s defense and security efforts.
“In addition to Ukraine, it also focuses on NATO member states involved in providing military aid to Ukraine”, they conclude.