Microsoft: Russia sent its B team to wipe Ukrainian hard drives

Here's a curious tale about a highly destructive yet flaky Kremlin-backed crew that was active during the early days of Russia's invasion of Ukraine, then went relatively quiet – until this year.

In a detailed report this week, analysts at Microsoft's Threat Intelligence unit outlined the work of a group they're calling Cadet Blizzard (formerly tracked as DEV-0586), which was behind the months-long data-wiping campaign against Ukraine government agencies that began in early January 2022.

That series of attacks – involving the destructive WhisperGate Windows malware – was part of the cyber aspect of the larger hybrid warfare conducted by Russia against its smaller neighbor and supporters.

Microsoft linked Cadet Blizzard to Russia's GRU military intelligence unit. While it doesn't have the same profile as other state-sponsored Russian teams – like Forest Blizzard (also known as Stronium, APT28, and Fancy Bear) and Seashell Blizzard (Iridium and Sandworm) – Microsoft says "the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape."

The researchers drew a picture of a gang of miscreants that can be disruptive using multiple modes of attack – but is less prolific and less successful than better-known GRU-backed groups, and runs its operations in a disorderly fashion.

"Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," they wrote. "While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard."

A so-so track record of success

That shows in the crew's performance, according to Tom Burt, Microsoft's corporate vice president of customer security and trust.

"What's perhaps most interesting about this actor is its relatively low success rate compared with other GRU-affiliated actors," Burt wrote in a blog post this week.

He noted that system-wiping attacks by Seashell Blizzard in February 2022 affected more than 200 systems in 15 organizations. WhisperGate the month before impacted "an order of magnitude fewer systems and delivered comparatively modest impact, despite being trained to destroy the networks of their opponents in Ukraine."

In addition, even in success, Cadet Blizzard seems to come up short. A "Free Civilian" Telegram channel – used by the group to distribute information gained from hack-and-leak operations – had only 1,300 followers as of February, with posts getting no more than a dozen reactions.

• US government hit by Russia's Clop in MOVEit mass attack
• Kremlin claims Apple helped NSA spy on diplomats via iPhone backdoor
• Ukraine war blurs lines between cyber-crims and state-sponsored attackers
• Spotted: Suspected Russian malware designed to disrupt Euro, Asia energy grids

In Cadet Blizzard's return to heightened activity this year, its operations, "although occasionally successful, similarly failed to achieve the impact of those conducted by its GRU counterparts," Burt wrote.

Sloppy but dangerous

That said, organizations shouldn't let down their guard on these miscreants. Cadet Blizzard has been operating since 2020 and, while not as prolific in scale or scope as other established Russian groups, its campaigns are designed to be destructive. It looks to get into networks and hang around for months.

It's known for targeting government agencies and bodies in such areas as law enforcement, IT services, and emergency services within Ukraine, but has also struck out at targets in Europe, Central Asia, and Latin America – often against organizations that have supported Ukraine. In Ukraine, the attacks have ranged from wiper malware and website defacements to information stealing and leaking.

NATO members providing military aid to Ukraine are at greater risk, Redmond wrote.

Cadet Blizzard exploits vulnerabilities in web services, such as Microsoft Exchange and Atlassian Confluence, then uses living-off-the-land techniques to move laterally through the network to grab information such as credentials and mail, or to drop malware to delete data and make systems inoperable. It uses web shells to maintain access.

In addition, unlike its Russian peers that like to go undetected during their operations, "the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation."

It's a group that is loud, sloppy at times, and hit-or-miss – but also dangerous.

"While it has not been the most successful Russian actor, Cadet Blizzard has seen some recent success," Burt wrote. ®