Insights, news, education and announcements from PolySwarm

Cadet Blizzard

Written by The Hivemind | Jun 23, 2023 6:09:27 PM

Related Families: WhisperGate
Verticals Targeted: Government, Law Enforcement, Non-profits, Information Technology, Emergency Services

Executive Summary

Cadet Blizzard is a Russia nexus state-sponsored threat actor group with potential ties to the GRU. However, their activity seems to be distinct from other GRU-associated threat actor groups. 

Key Takeaways

  • Cadet Blizzard is a Russia nexus state-sponsored threat actor group with potential ties to the GRU.
  • Their likely targets are NATO countries and other entities aligning with Ukraine. 
  • WhisperGate is their most well-known malware to date. 

Who is Cadet Blizzard?

Cadet Blizzard, previously referred to as DEV-0586 is a Russia nexus state-sponsored threat actor group with potential ties to the Russian General Staff Main Intelligence Directorate (GRU). Microsoft recently designated them as separate from other groups associated with GRU activities. The group seems to be motivated by disruption, destruction, and espionage.

Targeting

Verticals targeted by Cadet Blizzard include government, law enforcement, nonprofits, information technology, and emergency services. Most of the group's targets are located in Ukraine, other parts of Europe, Central Asia, and Latin America. They are deemed more likely to target NATO countries and other entities aligning with Ukraine.

TTPs

Cadet Blizzard has been active since at least 2020, with WhisperGate in 2022 being one of its more well-known malware families. Cadet Blizzard allegedly defaced multiple Ukrainian websites in the past. The group is known for disrupting network operations and leaking sensitive information. They have also been associated with the Free Civilian leak forum.

Microsoft noted Cadet Blizzard typically obtains and maintains a foothold on victim networks for months and exfiltrates data before engaging in disruptive behavior. The group was very active in January and June 2022, with a lull in activity, and became active again in January 2023.

Cadet Blizzard has previously used supply chain compromise attacks to compromise multiple targets at once. They are also known to use living off-the-land techniques. They have been observed leveraging CVE-2021-26084 and CVE-2022-41040. Cadet Blizzard’s activity appears to be, by design, less stealthy than other GRU-directed network operations.

IOCs

PolySwarm has multiple samples associated with Cadet Blizzard.

 

3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c

20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191

3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f CadetBlizzard

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 
View full post