Threat Research

Cadet Blizzard: Dark Web Profile – SOCRadar® Cyber Intelligence Inc.

SocRadar

Cadet Blizzard (DEV-0586) is a GRU-linked threat group that has targeted Ukrainian government agencies and critical infrastructure since at least 2020 and expanded operations to Europe and Latin America after 2022. The group conducts espionage and disruptive operations using custom and public tooling—examples include WhisperGate and Raspberry Robin—often supporting data exfiltration and credential theft. #CadetBlizzard #WhisperGate

Keypoints

  • Cadet Blizzard is linked to the Russian military intelligence agency GRU and identified as DEV-0586 by Microsoft.
  • First publicly tracked during large-scale cyberattacks on Ukraine in early 2022 and later expanded targeting to Europe and Latin America.
  • Primary targets include government organizations, critical infrastructure, NATO member states, and related supply chains.
  • Operates a complex kill chain covering reconnaissance, initial access, persistence, credential theft, lateral movement, and exfiltration.
  • Uses a mix of custom destructive/espionage tooling (e.g., WhisperGate) and publicly available malware/tools (e.g., Raspberry Robin, Meterpreter, exploit scripts).
  • Resumed observed activity in January 2023 after a quieter period and continues operations aligned with Russian political objectives.
  • Recommended defenses include email filtering, EDR, network segmentation, credential hygiene, and incident response planning.

MITRE Techniques

  • [T1590.002] Gather Victim Network Information: DNS – Used Amass and VirusTotal to gather DNS info for subdomains of target websites. (‘Used Amass and VirusTotal to gather DNS info for subdomains of target websites.’)
  • [T1595] Active Scanning – Utilizes open-source tools for active scanning during targeting. (‘Utilizes open-source tools for active scanning during targeting.’)
  • [T1595.001] Active Scanning: Scanning IP Blocks – Scans IP ranges using public tools to find victim IPs. (‘Scans IP ranges using public tools to find victim IPs.’)
  • [T1595.002] Active Scanning: Vulnerability Scanning – Scans for exploitable vulnerabilities in IoT devices using tools like Acunetix. (‘Scans for exploitable vulnerabilities in IoT devices using tools like Acunetix.’)
  • [T1596.005] Search Open Technical Databases: Scan Databases – Uses Shodan to discover internet-connected hosts. (‘Uses Shodan to discover internet-connected hosts.’)
  • [T1583.003] Acquire Infrastructure: Virtual Private Server – Uses VPS to host tools, perform recon, exploit, and exfiltrate data. (‘Uses VPS to host tools, perform recon, exploit, and exfiltrate data.’)
  • [T1588.001] Obtain Capabilities: Malware – Obtains publicly available malware for operations, like Raspberry Robin. (‘Obtains publicly available malware for operations, like Raspberry Robin.’)
  • [T1588.005] Obtain Capabilities: Exploits – Uses exploit scripts from GitHub to attack victim infrastructure. (‘Uses exploit scripts from GitHub to attack victim infrastructure.’)
  • [T1078.001] Valid Accounts: Default Accounts – Uses default usernames and passwords to access IP cameras. (‘Uses default usernames and passwords to access IP cameras.’)
  • [T1190] Exploit Public-Facing Application – Exploits vulnerabilities in public-facing apps like CVE-2021-33044. (‘Exploits vulnerabilities in public-facing apps like CVE-2021-33044.’)
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Executes commands and operational tasks via PowerShell. (‘Executes commands and operational tasks via PowerShell.’)
  • [T1505.003] Server Software Component: Web Shell – Deploys web shells for persistent access. (‘Deploys web shells for persistent access.’)
  • [T1003.001] OS Credential Dumping: LSASS Memory – Exfiltrates LSASS memory dumps to retrieve credentials. (‘Exfiltrates LSASS memory dumps to retrieve credentials.’)
  • [T1003.002] OS Credential Dumping: Security Account Manager – Dumps usernames and hashed passwords from the SAM. (‘Dumps usernames and hashed passwords from the SAM.’)
  • [T1110.003] Brute Force: Password Spraying – Uses password spraying on Microsoft OWA infrastructure to collect credentials. (‘Uses password spraying on Microsoft OWA infrastructure to collect credentials.’)
  • [T1552.001] Unsecured Credentials: Credentials in Files – Dumps configuration files from IP cameras to collect credentials. (‘Dumps configuration files from IP cameras to collect credentials.’)
  • [T1046] Network Service Discovery – Uses Nmap scripts to discover and scan other machines in the network. (‘Uses Nmap scripts to discover and scan other machines in the network.’)
  • [T1654] Log Enumeration – Enumerates and exfiltrates SYSTEM and SECURITY logs. (‘Enumerates and exfiltrates SYSTEM and SECURITY logs.’)
  • [T1550.002] Use Alternate Authentication Material: Pass the Hash – Uses Pass-the-Hash techniques for SMB authentication. (‘Uses Pass-the-Hash techniques for SMB authentication.’)
  • [T1114] Email Collection – Compromises mail servers to exfiltrate emails. (‘Compromises mail servers to exfiltrate emails.’)
  • [T1125] Video Capture – Exfiltrates images from IoT devices like IP cameras. (‘Exfiltrates images from IoT devices like IP cameras.’)
  • [T1213.001] Data from Information Repositories: Confluence – Leverages Through the Wire to target Confluence servers. (‘Leverages Through the Wire to target Confluence servers.’)
  • [T1560] Archive Collected Data – Compresses data to exfiltrate files or system information. (‘Compresses data to exfiltrate files or system information.’)
  • [T1090.003] Proxy: Multi-hop Proxy – Uses ProxyChains for multi-hop proxy to anonymize traffic. (‘Uses ProxyChains for multi-hop proxy to anonymize traffic.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Sends payloads via POST requests over HTTP. (‘Sends payloads via POST requests over HTTP.’)
  • [T1071.004] Application Layer Protocol: DNS – Uses DNS tunneling (e.g., dnscat/2, Iodine) for communication. (‘Uses DNS tunneling (e.g., dnscat/2, Iodine) for communication.’)
  • [T1095] Non-Application Layer Protocol – Uses reverse TCP connections for communication. (‘Uses reverse TCP connections for communication.’)
  • [T1105] Ingress Tool Transfer – Transfers Meterpreter payload for command execution. (‘Transfers Meterpreter payload for command execution.’)
  • [T1572] Protocol Tunneling – Uses OpenVPN and GOST for traffic tunneling to anonymize activities. (‘Uses OpenVPN and GOST for traffic tunneling to anonymize activities.’)
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Exfiltrates data to cloud storage services like MEGA using Rclone. (‘Exfiltrates data to cloud storage services like MEGA using Rclone.’)
  • [T1485] Data Destruction – Destroys data as part of disruptive operations. (‘Destroys data as part of disruptive operations.’)

Indicators of Compromise

  • No IoC Found – The article did not provide IP addresses, file hashes, domains, or filenames for specific indicators.

Read more: https://socradar.io/dark-web-profile-cadet-blizzard/ – get from article

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint