Russian APT Cadet Blizzard Behind Ukraine Wiper Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Russian APT Cadet Blizzard Behind Ukraine Wiper Attacks


Microsoft says Cadet Blizzard wielded a custom wiper malware in the weeks leading up to Russias invasion of Ukraine, and it remains capable of wanton destruction.



A threat actor that played a key role in the leadup to the Russian invasion of Ukraine was identified on June 14. Activity from the Cadet Blizzard advanced persistent threat (APT) peaked from January to June of last year, helping to pave the way for military invasion.
Microsoft detailed the activity in
a blog post
. Most notable among the APTs actions were a campaign to deface Ukrainian government websites, and
a wiper known as WhisperGate
that was designed to render computer systems completely inoperable.
These attacks prefaced multiple waves of attacks by Seashell Blizzard —
another Russian group
— that followed when the Russian military began their ground offensive a month later, Microsoft explained.
Microsoft connected Cadet Blizzard with Russias military intelligence agency, the GRU.
Identifying the APT is a step towards fighting Russian state-sponsored cybercrime, says Timothy Morris, chief security advisor at Tanium, however, it is always more important to focus on the behaviors and tactics, techniques, and procedures (TTPs) and not solely upon who is doing the attacking.
Generally, Cadet Blizzard gains initial access to targets through commonly known vulnerabilities in Internet-facing Web servers like
Microsoft Exchange
and
Atlassian Confluence
. After compromising a network, it moves laterally, harvesting credentials and escalating privileges, and using Web shells to establish persistence before stealing sensitive organizational data or deploying extirpative malware.
The group doesnt discriminate in its end goals, aiming for disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion, Microsoft explained.
But rather than being a jack of all trades, Cadet is more like a master of none. Whats perhaps most interesting about this actor, Microsoft wrote of the APT, is its relatively low success rate compared with other GRU-affiliated actors like Seashell Blizzard [Iridium, Sandworm] and
Forrest Blizzard (APT28, Fancy Bear, Sofacy, Strontium
].
For example, compared to
wiper attacks attributed to Seashell Blizzard
, Cadets WhisperGate affected an order of magnitude fewer systems and delivered comparatively modest impact, despite being trained to destroy the networks of their opponents in Ukraine, Microsoft explained. The more recent Cadet Blizzard cyber operations, although occasionally successful, similarly failed to achieve the impact of those conducted by its GRU counterparts.
All this considered, its no surprise that the hackers also appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups, Microsoft found.
Though centered on matters related to Ukraine, Cadet Blizzard operations arent particularly focused.
Besides deploying its signature wiper and defacing government websites, the group also operates a hack-and-leak forum called Free Civilian. Outside of Ukraine, it has attacked targets elsewhere in Europe, Central Asia, and even Latin America. And besides government agencies, it often targeted IT service providers and software supply chain manufacturers, as well as NGOs, emergency services, and law enforcement.
But while they may have a messier operation in certain ways, Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, warns that Cadet Blizzard is still a fearsome APT.
Their goal is destruction, so organizations absolutely need to be equally worried about them, as they would other actors, and take proactive measures like turning on cloud protections, reviewing authentication activity and
enabling multifactor authentication (MFA)
to protect against them, she says.
For his part, Morris recommends that organizations start with the basics: strong authentication — MFA,
FIDO keys where necessary
— implement principle of least privilege; patch, patch, patch; ensure your security controls and tools are present and working; and train users frequently.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russian APT Cadet Blizzard Behind Ukraine Wiper Attacks