Microsoft has linked a group of threats that it tracks as Cadet Blizzard since April 2023 to the Russian Main Directorate of the General Staff of the Armed Forces (also known as the GRU).
The company previously connected this new GRU hacking group with the destroyer WhisperGate data erasure attacks in Ukraine which began on January 13, 2022, more than a month before the Russian invasion of Ukraine in February 2022.
Cadet Blizzard was also behind the defacement of Ukrainian websites in early 2022 and several hack and leak operations that were promoted on a low-traffic Telegram channel known as “Free Civilian”.
The group reportedly began operations in 2020, primarily targeting government departments, law enforcement, non-profit/non-governmental organizations, IT/consulting service providers, and emergency services in Ukraine.
“Microsoft believes Cadet Blizzard’s operations are associated with the Russian General Staff’s Main Intelligence Directorate (GRU), but are separate from other known and more established groups affiliated with the GRU, such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM),” Microsoft said.
“A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that erases Master Boot Records (MBRs) against Ukrainian government organizations.”
Microsoft claims Cadet Blizzard’s attacks have a relatively lower success rate than other GRU-affiliated hacking groups like APT28 (Strontium, Fancy Bear) and Sandworm (Iridium).
While Cadet Blizzard fell off the radar after June 2022, the group resurfaced in early 2023, with its more recent cyber operations seeing occasional success. However, they still failed to match the impact of attacks from their GRU counterparts.
Since the 2022 breaches and data erasure attacks and starting in February 2023, the GRU hacking group has been behind a barrage of attacks targeting Ukrainian government organizations and IT vendors.
For example, Redmond has linked at least one incident in a series of offenses reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in February, saying it had found evidence of backdoors planted by Russian state hackers on several government websites at the series of violations dating back to December 2021.
CERT-UA linked the attacks toEmber Beara group it says has been active since at least March 2021, with attacks targeting Ukrainian organizations with information thieves, backdoorsAnd data erasers disguised as ransomware mostly delivered via phishing emails.
“The Blizzard Cadet is active seven days a week and has conducted operations during off-peak hours at its primary targets, when its activity is less likely to be detected,” said Tom Burt, Microsoft vice president of security and customer trust.
“In addition to Ukraine, it also focuses on NATO member states involved in providing military assistance to Ukraine.”