New hacking unit within Russian military intelligence identified by Microsoft

Cyber attacks hitting Ukrainian government agencies and IT vendors have been traced back to hackers associated with Russia’s military intelligence service, the GRU, Microsoft says.

Tom Burt, Microsoft’s corporate vice president for customer security and trust, said in a blog post that ongoing hacking activities, which began in February 2023, can be attributed to a threat actor whom researchers have dubbed Cadet Blizzard.

The group is also allegedly related to destructive data-wiping attacks that plagued Ukraine ahead of Russia’s invasion in February 2022. Novel malware called WhisperGate was deployed against Ukrainian state institutions.

According to Microsoft, Cadet Blizzard typically breaches its targets by using stolen credentials to gain access to internet servers that sit on the perimeters of an organization’s network. Once inside, it seeks to maintain access by using broadly available tools called web shells, which can be bought as off-the-shelf kits and customized.

It then uses “living off the land” techniques – that is, using legitimate commands, not malware, to move laterally across its targets’ networks while gaining access to more information or disrupting networks if it chooses. This allows the hackers to hide in legitimate network traffic, Microsoft said.

This particular threat actor is active seven days a week and seeks to conduct its operations during off-business hours – making detection harder. In addition to Ukraine, Cadet Blizzard targets NATO member states that send military aid to Kyiv.

Cadet Blizzard is thought to be a distinct group within the GRU. Microsoft says that it’s responsible for website defacements, destructive attacks, cyber espionage, and hack-and-leak operations.

Cadet Blizzard’s normal operational lifecycle. Courtesy of Microsoft.

However, Microsoft adds that the group’s success rate, compared with other GRU-affiliated actors like Seashell Blizzard and Forrest Blizzard, is relatively low.

Influence operations by the group, which are designed to send signals as publicly as possible, have also gained modest results.

Although it managed to deface a series of Ukrainian websites in early 2022, the “Free Civilian” Telegram channel used by Cadet Blizzard to distribute information obtained from its activities only had 1,300 followers as of February 2023.

“While it has not been the most successful Russian actor, Cadet Blizzard has seen some recent success,” Burt said.

Microsoft has been supporting Ukraine’s efforts to defend the country from Russian cyber attacks since the very beginning of the invasion. The company has recently overhauled its cyber threat information nomenclature systems, with hackers now being named after weather events.

To illustrate, nation-state hacking groups are now named according to their country of origin, with Russian and Chinese attackers having the 'Blizzard' and 'Typhoon' monikers, respectively.

Those from Iran and North Korea are designated 'Sandstorm' and 'Sleet', respectively. For example, under the new naming scheme, Russian state-sponsored threat group Cozy Bear is now tracked as ‘Midnight Blizzard.’

More from Cybernews:

Netflix enters food service industry

Cl0p names first batch of alleged MOVEit victims

BreachForums is back – for real this time

Dozens of healthcare providers affected by Virginia debt collector breach

Cl0p, the MOVEit bug, and what to make of it all

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked