ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Cadet Blizzard

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Cadet Blizzard

NamesCadet Blizzard (Microsoft)
DEV-0586 (Microsoft)
Ruinous Ursa (Palo Alto)
CountryRussia Russia
SponsorState-sponsored, GRU
MotivationInformation theft and espionage, Sabotage and destruction
First seen2020
Description(Microsoft) Microsoft assesses that Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (Sofacy, APT 28, Fancy Bear, Sednit) and Seashell Blizzard (Sandworm Team, Iron Viking, Voodoo Bear). While Microsoft constantly tracks a number of activity groups with varying degrees of Russian government affiliation, the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape. A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. Cadet Blizzard is also linked to the defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as “Free Civilian”.

Microsoft has tracked Cadet Blizzard since the deployment of WhisperGate in January 2022. We assess that they have been operational in some capacity since at least 2020 and continue to perform network operations through the present. Operationally consistent with the remit and assessed objectives of GRU-led operations throughout Russia’s invasion of Ukraine, Cadet Blizzard has engaged in focused destructive attacks, espionage, and information operations in regionally significant areas. Cadet Blizzard’s operations, though comparatively less prolific in both scale and scope to more established threat actors such as Seashell Blizzard, are structured to deliver impact and frequently run the risk of hampering continuity of network operations and exposing sensitive information through targeted hack-and-leak operations. Primary targeted sectors include government organizations and information technology providers in Ukraine, although organizations in Europe and Latin America have also been targeted.
ObservedSectors: Government, IT, Law enforcement, NGOs.
Countries: Ukraine and Europe, Central Asia and Latin America.
Tools usedGO Simple Tunnel, Impacket, netcat, P0wnyshell, reGeorg, WhisperGate, Living off the Land.
Operations performedJan 2022Operation “Bleeding Bear”
Destructive malware targeting Ukrainian organizations
<https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/>
Counter operationsJun 2024Russian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian Government Computer Systems and Data
<https://www.justice.gov/opa/pr/russian-national-charged-conspiring-russia-military-intelligence-destroy-ukrainian>
Information<https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=ruinousursa>

Last change to this card: 26 August 2024

Download this actor card in PDF or JSON format

Previous: Cadelle
Next: Callisto Group

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]