Microsoft on Wednesday lifted the lid on a “new and different Russian threat actor,” which it said was linked to the General Staff’s Main Intelligence Directorate (GRU) and has a “relatively low success rate”.
The tech giant’s Threat Intelligence Team, which previously tracked the group under the emerging moniker DEV-0586has graduated to become a named actor dubbed Storm Cadet.
“Blizzard’s Cadet seeks to engage in harassment, destruction, and information gathering, using any means available and at times acting in reckless ways,” the company said. said.
“While these groups carry high risk due to their destructive activities, they appear to be operating with a lower level of operational security than older and advanced Russian groups such as Seashell Blizzard and Forest Blizzard.”
Blizzard’s Cadet was first exposed in January 2022 in connection with damaging cyber activity targeting Ukraine using a new removal malware called WhisperGate (aka PAYWIPE) in the weeks leading up to Russia’s military invasion of the country.
State-sponsored actors, per Microsoft, have a track record of orchestrating destructive attacks, espionage, and information operations aimed at entities located in Ukraine, Europe, Central Asia, and, periodically, Latin America.
Allegedly having operated in some capacity since at least 2020, Blizzard’s Cadet intrusions focused mostly on government agencies, law enforcement, non-profit and non-governmental organizations, IT service providers, and emergency services.
“Blizzard’s Cadet is active seven days a week and has conducted its operations during its prime target business hours when its activity tends to go undetected,” Microsoft’s Tom Burt said. “In addition to Ukraine, it also focuses on NATO member states involved in providing military assistance to Ukraine.”
It should be noted that Blizzard’s Cadet also overlaps with a group monitored by the broader cybersecurity community by the name Bara Bear (CrowdStrike), FROZENVISTA (Google TAG), Nodaria (Symantec), TA471 (Proofpoint), UAC-0056 (CERT-UA), and UNC2589 (Google Mandiant).
As well as WhisperGate, crews of hackers have been known to make use of weapon rafts for their arsenal, including SaintBot, OutSteel, GraphSteel, GrimPlant, and more recently, Graphiron. Microsoft has associated SaintBot and OutSteel with a cluster of related activities labeled Storm-0587.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“Blizzard’s Cadet is also connected to destruction from the websites of several Ukrainian organizations, as well as several operations, including the hack-and-leak forum known as ‘Free Civilian,'” Microsoft added.
Other notable trading crafts require the use of living-off-the-land (LotL) techniques after gaining early access to achieve lateral movement, gather credentials and other information, and deploy tools to facilitate evasion and defensive persistence.
Cyber-attacks, for their part, are carried out through exploiting known weaknesses in exposed web servers (for example, Atlassian Confluence and Microsoft Exchange Server) and content management systems.
“As the war continues, Blizzard’s Cadet activity poses an increasing risk to the wider European community, in particular any successful attacks on governments and IT service providers, which could provide actors with tactical and strategic level insight into Western operations and policies around the conflict.”, said Microsoft.