Executive Summary

Cadet Blizzard, a newly identified Russian threat actor, was observed by researchers in January 2022 and is believed to be associated with the General Staff Main Intelligence Directorate (GRU). While their activities were initially observed during the targeting of Ukraine using the WhisperGate wiper malware, there are indications that the group has been operational since at least 2020.

Avertium’s security partner, Microsoft, has successfully tracked the threat actor and initially referred to the group as DEV-0586 before officially naming them Cadet Blizzard. Known for their disruptive and destructive attacks, Cadet Blizzard has a haphazard approach to their operations, using any available means to collect information, cause disruptions, and destroy data.

Despite their tendency for destruction, Cadet Blizzard appears to demonstrate a lower level of operational security compared to more established Russian threat groups like Forest Blizzard and Seashell Blizzard. The group focuses their operations on espionage, information operations, and destructive attacks primarily targeting entities within Ukraine, Europe, Central Asia, Latin America, as well as NATO member states providing military aid to Ukraine. Let’s examine Cadet Blizzard, their tactics and techniques, and how organizations can remain vigilant in protecting themselves against the threat actor.

 

tir snapshot

  • In operation since 2020, Microsoft suspects the Russian threat actor, Cadet Blizzard is linked to the Russian GRU and operates independently of other GRU-related groups.
  • Cadet Blizzard typically infiltrates and controls compromised networks for extended periods, frequently exfiltrating data before engaging in disruptive actions.
  • In January 2022, Cadet Blizzard employed a new wiper malware called WhisperGate (also known as PAYWIPE), which caused significant damage to Ukraine's systems and networks.
  • Cadet Blizzard conducts their operations during their targets' non-business hours, making their activity less likely to be detected.
  • To carry out offline credential harvesting, Cadet Blizzard employs Sysinternals tools like procdump to dump LSASS.
  • Cadet Blizzard's operations are not isolated. There are significant signs of their involvement with other malicious cyber activities that may have a wider reach or connections beyond Russia.
  • Russia's increased targeting highlights the spillover risk, emphasizing the importance for organizations and security professionals worldwide to strengthen their digital defenses.

 

 

Cadet Blizzard

In operation since 2020, Microsoft suspects the Russian threat actor, Cadet Blizzard is linked to the Russian GRU and operates independently of other GRU-related groups. The threat actor is connected to the defacement of numerous Ukrainian organization websites, along with multiple operations involving the hack-and-leak Telegram channel called "Free Civilian".

Cadet Blizzard primarily targets government organizations and IT providers in Ukraine, occasionally expanding its operations to Europe and Latin America. The group’s attacks have focused on IT service providers, emergency services, government organizations, law enforcement, and non-profit organizations. Although targets are primarily located in Ukraine, the group has also targeted NATO member states that provide military aid to Ukraine.

In January 2022, Cadet Blizzard emerged as a threat actor engaged in destructive cyber operations. They employed a new wiper malware called WhisperGate (also known as PAYWIPE), which caused significant damage to Ukraine’s systems and networks. These attacks occurred during the period leading up to Russia's military invasion of the country.

Avertium published a Threat Intelligence Report regarding WhisperGate and how it impacted the U.S. and Ukraine. WhisperGate is malware that was discovered in January 2022 and was designed to look like ransomware but lacked the ransom recovery mechanism. The malware had two stages and was noted to be similar to NotPetya but with more capabilities. WhisperGate impacted the Ukraine Foreign Ministry, the Ministry of Education and Science, and other state services in Ukraine.

 

 

tactics and techniques

Cadet Blizzard typically infiltrates and controls compromised networks for extended periods, frequently exfiltrating data before engaging in disruptive actions. Their most active period occurred from January to June 2022, followed by a period of decreased activity. However, the group reemerged in January 2023 with strengthened attacks on various targets in Ukraine and Europe, including a fresh wave of website defacements.

Interestingly, Cadet Blizzard conducts their operations during their targets’ non-business hours, making their activity less likely to be detected, making states involved in providing military aid to Ukraine are at greater risk. The threat actor mainly gains initial access by exploiting vulnerabilities in web servers, Confluence servers (CVE-2021-26084) and Exchange servers (CVE-2022-41040 and ProxyShell).

Also, Cadet Blizzard might exploit common vulnerabilities found in different open-source platforms, including content management systems. The group adheres to conventional network operator practices, frequently utilizing "living-off-the-land" strategies to navigate networks, gather passwords and sensitive data, and employ evasion techniques and persistence mechanisms to maintain access after an initial breach.

Cadet Blizzard maintains persistence on targeted networks by employing common web shells for command and tunneling purposes. They use web shells such as P0wnyshell, reGeorg, PAS, and even custom versions found in publicly accessible exploit kits. In February 2023, CERT-UA detected an attack on a Ukrainian state information system. The attack involved a variant of the PAS web shell, which is believed to be exclusive to Cadet Blizzard operations during that time.

To carry out offline credential harvesting, the Russian threat actor uses Sysinternals tools like procdump to dump LSASS. They often rename procdump64 to different names, such as dump64.exe. Also, Cadet Blizzard extracts registry hives using native methods, specifically through reg save. Lateral movement is conducted with valid network credentials obtained via credential harvesting.

Cadet Blizzard has been observed utilizing the Win32_NTEventlogFile commandlet in PowerShell to extract system and security event logs to a designated directory. These actions are believed to be part of their anti-forensics measures. The typical files targeted during the extraction process include:

  • evtx
  • evtx

During their operational phases, Cadet Blizzard frequently deletes the files they use for lateral movement. To disable Microsoft Defender Antivirus, the threat actor’s malware implants employ various methods, including:

  • Utilizing the NirSoft AdvancedRun utility to stop the WinDefend service, effectively disabling Microsoft Defender Antivirus.
  • Employing a batch file called "Disable Windows Defender.bat" to potentially disable Microsoft Defender Antivirus through registry modifications.

 

 

operations are not isolated

Cadet Blizzard's operations are not isolated. There are significant signs of their involvement with other malicious cyber activities that may have a wider reach or connections beyond Russia. At times, they have used services linked to these cyber ecosystems, like Storm-0587. Storm-0587 is a cluster of activity that started in April 2021. It involves the use of weaponized documents distributed in phishing campaigns. These documents contained downloaders and document stealers.

One notable tool used by Storm-0587 is SaintBot, a less common downloader that often appears in targeted phishing emails. SaintBot can be customized to deliver various types of payloads. In Ukraine, this malware variant often deploys a version of an AutoIT information stealer called OUTSTEEL. OUTSTEEL collects specific documents on the infected machine that the threat actors find valuable.

Additionally, Cadet Blizzard has also received support from at least one private sector organization within Russia that aids their activities. This information implies that Cadet Blizzard may have affiliations or collaborations with other entities in their operations.

 

 

defense

While Cadet Blizzard's primary focus appears to be on targeting Ukraine, their operations are not limited to this region. They have also launched attacks in various other parts of Europe, Central Asia, and even Latin America. Previously, Avertium reported that the cyber conflict between Russia and Ukraine would escalate in the near future.

Both Recorded Future and Google's TAG (Threat Analysis Group) warned that Russia had plans to intensify cyber attacks against Ukraine. Google's TAG team expressed high confidence that if the war shifts significantly in favor of Ukraine, Moscow will increase disruptive and destructive attacks throughout 2023. There are predictions that Russian hacktivist groups would support Russia's military advancements against Ukraine, potentially extending the cyber warfare into regions (including NATO countries) that Russia has not been able to infiltrate through physical means.

Similar to the Russian Advanced Persistent Threat (APT) group Winter Vivern, Cadet Blizzard is another Russian APT that has reappeared after a period of reduced activity - targeting government websites and exploiting well-known vulnerabilities. According to the acting deputy head of the Security Service of Ukraine's (SSU) Cybersecurity Department, Moscow was responsible for nearly 1,200 cyberattacks and significant cyber incidents in the first quarter of 2023. Based on this trend, it was estimated that Russia may carry out around 4,800 attacks this year, surpassing the number of cyberattacks attributed to Russian threat actors in 2022 by approximately 300. The increased targeting by Russia highlights the spillover risk, emphasizing the importance for organizations and security professionals worldwide to strengthen their digital defenses.

 

 

MITRE MAP

Cadet Blizzard MITRE Map

 

 

avertium recommendations

  • Because Cadet Blizzard exploits known vulnerabilities, organizations should prioritize patching vulnerabilities found in commonly targeted systems like Confluence servers, Exchange servers, and open-source platforms. It is crucial to promptly apply security updates and fixes provided by vendors to address specific vulnerabilities such as CVE-2021-26084 (updating to version 6.13.23, 7.4.11, 7.11.6, 7.12.5, or newer), CVE-2022-41040, and other vulnerabilities like ProxyShell. This proactive approach helps strengthen the security posture and reduces the chances of successful exploitation by threat actors like Cadet Blizzard.
  • Review all authentication activity related to remote access infrastructure. Pay close attention to accounts that are set up with single factor authentication. Confirm the legitimacy of these accounts and promptly investigate any unusual or suspicious activity that may arise.
    • This practice helps ensure that only authorized users are accessing the infrastructure and helps identify and address any potential security breaches or unauthorized access attempts.
  • Microsoft recommends blocking process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of Impacket.

 

 

INDICATORS OF COMPROMISE (IOCs)

SHA256

  • 3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c
  • 20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191
  • 3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4
  • 23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478
  • 7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897

IPV4

  • 179[.]43[.]187[.]33

Domain

  • justiceua[.]org

MD5

  • 3a2a2de20daa74d8f6921230416ed4e6

Email

  • Volodimir[_]azov@justiceua[.]org

 

 

how avertium is prote

cting our customers

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment).
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK).
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).
  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.


 

Related Resource:

 

 

SUPPORTING DOCUMENTATION

Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog

Microsoft Names Russian Threat Actor "Cadet Blizzard" - Infosecurity Magazine (infosecurity-magazine.com)

Confluence Security Advisory - 2021-08-25 | Confluence Data Center and Server 8.4 | Atlassian Documentation

Cadet Blizzard emerges as a novel and distinct Russian threat actor | Microsoft Security Blog

How WhisperGate Affects the U.S. and Ukraine (avertium.com)

CERT-UA

Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent (thehackernews.com)

Cadet Blizzard emerges as a novel and distinct Russian threat actor - AlienVault - Open Threat Exchange

Cadet Blizzard (polyswarm.io)

Targeted Phishing Attack against Ukraine Government Expands to Georgia (intezer.com)

Threat Advisory (hivepro.com)

Russian APT 'Cadet Blizzard' Behind Ukraine Wiper Attacks (darkreading.com)

APT Winter Vivern Resurfaces (avertium.com)

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.

Chat With One of Our Experts




Threat Report Malware WhisperGate Cadet Blizzard Blog