In the midst of ongoing tensions stemming from the Russia-Ukraine war, Microsoft's Threat Intelligence team has recently exposed the existence of a new Russian state-sponsored hacker group known as Cadet Blizzard.
This group, linked to the General Staff Main Intelligence Directorate (GRU), has been actively engaging in disruptive cyber activities, primarily targeting Ukraine, Europe, and Latin America.
The emergence of Cadet Blizzard underscores the complex and evolving nature of cyber threats, as they blur the lines between criminal and state-sponsored actors, exacerbating the challenges faced by defenders in the digital realm.
What is Cadet Blizzard?
According to Microsoft, Cadet Blizzard "seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion."
The group operates with a lower degree of operational security compared to other well-established Russian hacker groups. Despite a relatively low success rate, Cadet Blizzard poses a significant risk due to its destructive nature and potential impact on targeted entities.
Cadet Blizzard is believed to have started its operations in 2020, with a primary focus on targeting government services, law enforcement, non-profit organizations, IT service providers, and emergency services in Ukraine. The group has since been involved in the defacement of Ukrainian websites, hack-and-leak operations, and deploying destructive capabilities like the WhisperGate data-wiping attacks.
Casey Ellis, Founder and CTO at Bugcrowd, discussed the Russian-affiliated threat actor group with SecureWorld News:
"Groups which are more 'state-sanctioned' than state-sponsored or controlled are becoming increasingly common in these types of actions. For the nation state, this obviously adds to their capability in a useful way, adds the option for plausible deniability if required, and can serve to hide directed nation-state actions amongst more chaotic ones."
Microsoft warns that Cadet Blizzard maintains an active presence throughout the week, specifically operating during off-business hours to reduce the likelihood of detection. The group also employs living-off-the-land (LotL) techniques to gain initial access, move laterally within targeted networks, and evade defense mechanisms.
Microsoft included this graphic, displaying Cadet Blizzard's normal operation lifecycle:
As Cadet Blizzard's activities continue, Microsoft underscores the increasing risk the group poses to the broader European community, especially successful attacks against governments and IT service providers. Such attacks could grant the threat actor both tactical and strategic-level insights into Western operations and policies related to ongoing conflicts.
Mitigations and defense against Cadet Blizzard
To mitigate the risk posed by Cadet Blizzard and other advanced cyber threats, organizations are advised to follow basic defense tactics. These include implementing strong authentication measures, adhering to the principle of least privilege, maintaining up-to-date patching, ensuring robust security controls and tools, and conducting regular user training.
Specifically, Microsoft advises doing these five things:
- "Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity."
- "Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts."
- "Enable controlled folder access (CFA) to prevent MBR/VBR modification."
- "Block process creations originating from PSExec and WMI commands to stop lateral movement utilizing the WMIexec component of Impacket."
- "Turn on cloud-delivered protection in Microsoft Defender Antivirus, turned on by default in Windows, or the equivalent for your chosen antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants."
The emergence of Cadet Blizzard highlights the evolving landscape of cyber threats. Blurring the lines between state-sanctioned and criminal actors, groups like Cadet Blizzard emphasize the need for improved cybersecurity measures and a deeper understanding of the motivations behind these attacks.
As organizations and governments navigate this challenging landscape, the focus should remain on proactive defense strategies and fostering a cybersecurity-conscious culture.
Follow SecureWorld News for more stories related to cybersecurity.
