Microsoft Names Russian Threat Actor "Cadet Blizzard"

Written by

Microsoft Threat Intelligence has shed light on a previously tracked threat actor (DEV-0586), now known as “Cadet Blizzard.”

The tech giant explained the new threat in a technical blog post published on Wednesday, where it shared updated information about the Russian state-sponsored threat actor’s techniques, tools and infrastructure.

Read more on Microsoft’s previous DEV-0586 findings : Microsoft Warns of Destructive Malware Campaign Targeting Ukraine

Microsoft believes Cadet Blizzard to be associated with the Russian General Staff Main Intelligence Directorate (GRU) and operates separately from other known GRU-affiliated groups.

While the group’s activities may be less prolific than other threat actors, their destructive campaigns have targeted government organizations and IT providers primarily in Ukraine, with occasional operations in Europe and Latin America.

From a technical standpoint, Cadet Blizzard predominantly achieved initial access by exploiting web servers and vulnerabilities in Confluence servers, Exchange servers and open-source platforms.

They then achieved persistence on networks using web shells like P0wnyshell and reGeorg, escalated privileges through living-off-the-land techniques and harvested credentials.

“Many TTPs (tactics, techniques, & procedures) are shared among threat actors, whether nation-state or not,” commented Timothy Morris, Chief Security Advisor at Tanium.

“Typically, the largest indicator of nation-state threat actors are the amount of resources available and the level of sophistication of how TTPs are used.”

According to the security expert, criminal groups and hacktivists can be monetarily or politically driven and their motivations can overlap. 

“Meaning, motivation for attacks can be shared. For example, a nation-state that focuses on cryptocurrency attacks to fund their operations.”

Cadet Blizzard reportedly conducted lateral movement with obtained network credentials and modules from the Impacket framework, while command and control (C2) was achieved via socket-based tunneling utilities and occasionally Meterpreter.

To maintain operational security, Cadet Blizzard used anonymization services like IVPN, SurfShark and Tor. They employed anti-forensics techniques and carried out destructive actions, including data exfiltration, deploying malware, hack-and-leak operations and information operations through Tor sites and Telegram channels.

“Activities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period,” Microsoft wrote.

As a result, the company suggested that a thorough incident response approach may be necessary to effectively address and recover from the activities carried out by Cadet Blizzard.

“Organizations can bolster security of information assets and expedite incident response by focusing on areas of risk based on actor tradecraft enumerated within this report.”

What’s hot on Infosecurity Magazine?