The U.S. government, along with a coalition of international partners, has officially attributed the Russian hacking group known as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). These cyber actors have been engaged in computer network operations for espionage, sabotage, and reputational harm since at least 2020. However, since early 2022, their primary focus has been on targeting and disrupting efforts to provide aid to Ukraine.
Cadet Blizzard, also known by various other names such as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations prior to Russia’s military invasion of the country. WhisperGate is a type of wiper malware that was used to delete data and disrupt the operations of these organizations. While WhisperGate is not unique to Cadet Blizzard, it played a significant role in their cyber attacks.
In June 2024, a 22-year-old Russian national named Amin Timovich Stigal was indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine using wiper malware, including WhisperGate. Since then, the U.S. Department of Justice (DoJ) has charged five officers associated with Unit 29155 for conspiracy to commit computer intrusion and wire fraud conspiracy against targets in Ukraine, the U.S., and 25 other NATO countries. These officers, including Yuriy Denisov, Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin, were responsible for carrying out cyber operations.
According to the DoJ, the goal of these cyber intrusions is to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data. The initial targets were Ukrainian government systems and data with no military or defense-related roles. However, later targets included computer systems in countries around the world that were providing support to Ukraine. This demonstrates the global reach and impact of Cadet Blizzard’s cyber operations.
It is believed that Unit 29155, to which Cadet Blizzard belongs, is responsible for not only cyber attacks but also attempted coups, sabotage, influence operations, and assassination attempts throughout Europe. Their offensive cyber operations have been ongoing since at least 2020. The ultimate goal of these activities is to collect sensitive information for espionage purposes, inflict reputational harm by leaking the collected data, and carry out destructive operations that aim to sabotage systems containing valuable information.
Unit 29155 consists of junior, active-duty GRU officers who collaborate with known cybercriminals and other civilian enablers to facilitate their missions. These missions involve various activities such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. The information collected is either released on public website domains or sold to other malicious actors.
The attack chains employed by Cadet Blizzard usually begin with scanning activities that exploit known security flaws in certain software and hardware systems. Atlassian Confluence Server and Data Center, Dahua Security, and Sophos’ firewall are some of the commonly targeted vulnerabilities. Once breached, the attackers use tools like Impacket for post-exploitation and lateral movement within the victim’s environment. Finally, the stolen data is exfiltrated to dedicated infrastructure.
In some instances, the cyber actors have used Raspberry Robin malware as an access broker. They have also targeted victims’ Microsoft Outlook Web Access (OWA) infrastructure by employing password spraying techniques to obtain valid usernames and passwords.
To mitigate the risk of falling victim to Cadet Blizzard’s cyber attacks, organizations are advised to prioritize routine system updates and promptly address known vulnerabilities. It is crucial to segment networks to limit the spread of malicious activity and enforce phishing-resistant multi-factor authentication (MFA) for all externally facing account services.
The attribution of Cadet Blizzard’s cyber activities to the GRU’s Unit 29155 serves as a reminder of the ongoing cyber threats posed by state-sponsored hacking groups. The international coalition formed to combat these threats demonstrates the importance of collaboration and information sharing among nations. Additionally, the U.S. Department of State’s Rewards for Justice program offers a reward of up to $10 million for information on the location of the indicted officers or their malicious cyber activities. This serves as a strong deterrent and a means to hold the perpetrators accountable for their actions.
In conclusion, Cadet Blizzard, a Russian hacking group, has been attributed to the GRU’s Unit 29155. Their cyber activities aimed at espionage, sabotage, and reputational harm have been ongoing since at least 2020. With a particular focus on disrupting aid to Ukraine, their targets have included critical infrastructure and key resource sectors. The international coalition formed to combat these threats highlights the global nature of the cyber landscape and the need for international cooperation in addressing these challenges.
Source link
