Cadet Blizzard is a distinct Russian GRU-sponsored threat actor elevated from DEV-0586, known for destructive and disruptive operations in Ukraine and Europe, including web defacements, WhisperGate, and a hack-and-leak front called Free Civilian. Microsoft Threat Intelligence details Cadet Blizzard’s tactics, targets, and interconnections with other ecosystems to help defenders detect and mitigate its activities. hashtags: #CadetBlizzard #WhisperGate #GRU #FreeCivilian #Ukraine
Keypoints
- Cadet Blizzard has been elevated from a DEV-0586 designation to a named threat actor, with ties to the Russian GRU and distinctions from other GRU groups like Forest Blizzard and Seashell Blizzard.
- WhisperGate, deployed before Russia’s invasion, wipes Master Boot Records and foreshadowed later destructive operations against Ukrainian government targets.
- Operations span destructive attacks, espionage, and information operations, targeting government and IT providers in Ukraine and extending to Europe and Latin America.
- Cadet Blizzard frequently uses living-off-the-land techniques, web shells for persistence, credential dumping, and Impacket-based lateral movement, often revealing themselves through public-facing destructive activity.
- Hack-and-leak activity via the “Free Civilian” front and related channels (Tor onion site and Telegram) signals indicates information operations alongside data exfiltration and disclosure.
- Mitigation focuses on MFA, CFA, cloud Defender protections, monitoring for hands-on-keyboard activity, and specific hunting queries to detect Cadet Blizzard’s patterns.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Cadet Blizzard predominantly achieves initial access through exploitation of web servers… including the CVE-2021-26084 vulnerability. “Cadet Blizzard is also known for exploiting Confluence servers through the CVE-2021-26084 vulnerability”
- [T1505.003] Web Shell – Cadet Blizzard frequently persists on target networks through the deployment of commodity web shells… “Commonly utilized web shells include P0wnyshell, reGeorg, PAS”
- [T1003.001] Credential Dumping – LSASS memory dumping using procdump; “Dumping LSASS – Cadet Blizzard uses Sysinternals tools such as procdump to dump LSASS in suspected offline credential harvesting efforts.”
- [T1003.004] Registry Hive Dump (Credential Dumping) – “Dumping registry hives – Cadet Blizzard extracts registry hives using native means via reg save.”
- [T1021] Lateral Movement – “conducts lateral movement with valid network credentials obtained from credential harvesting… uses Impacket framework.”
- [T1059.001] PowerShell – “PowerShell get-volume to enumerate the volume of a device”
- [T1105] Ingress Tool Transfer – “Downloading files directly from actor-owned infrastructure via the PowerShell DownloadFile commandlet”
- [T1070] Indicator Removal on Host – “Cadet Blizzard commonly deletes files used during operational phases”
- [T1485] Data Destruction – “deploy destructive malware to delete data and render systems inoperable.”
Indicators of Compromise
- [Domain] justiceua.org – Sender for non-weaponized emails containing only antagonistic messaging: [email protected]
- [IP address] 179.43.187.33 – Hosted the JusticeUA operation between March and April 2022
- [SHA-256] 3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c – Web shell – p0wnyshell (not unique to Cadet Blizzard)
- [SHA-256] 20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191 – Web shell – p0wnyshell (not unique to Cadet Blizzard)
- [SHA-256] 3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4 – Web shell – WSO Shell (not unique to Cadet Blizzard)
- [SHA-256] 23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478 – Web shell – reGeorg (not unique to Cadet Blizzard)
- [SHA-256] 7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897 – Web shell – PAS (may not be unique to Cadet Blizzard)