The U.S. government and international partners have attributed cyberattacks to a Russian hacking group called Cadet Blizzard. The group is part of the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center. Cadet Blizzard has been responsible for computer network operations targeting global objectives since at least 2020.
Their main focus has been disrupting efforts to provide aid to Ukraine. The group’s targets have included critical infrastructure and key sectors in NATO members, the European Union, Central America, and Asian countries. These sectors include government services, financial services, transportation systems, energy, and healthcare.
In January 2022, Cadet Blizzard deployed the destructive WhisperGate malware against Ukrainian organizations before Russia’s full-scale invasion of the country. However, this group’s use of WhisperGate is not unique.
Cyberattacks linked to Cadet Blizzard
The U.S. Department of Justice has indicted five officers associated with Unit 29155 for conspiracy to commit computer intrusion and wire fraud. The officers are Yuriy Denisov, Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin. The U.S. Department of State’s Rewards for Justice program offers up to $10 million for information about the defendants’ locations or malicious cyber activity.
Unit 29155 is believed to be responsible for extensive cyber operations throughout Europe since at least 2020. These cyber intrusions aim to collect sensitive information for espionage, inflict reputational harm by leaking data, and orchestrate destructive operations to sabotage systems containing valuable data. Unit 29155 consists of junior, active-duty GRU officers relying on known cybercriminals and civilian enablers to facilitate their missions.
Attack chains typically start with scanning activities exploiting known security flaws in systems. This is followed by the use of Impacket for post-exploitation and lateral movement, leading to data exfiltration to dedicated infrastructure. Organizations are recommended to prioritize routine system updates, address known exploited vulnerabilities, segment networks, and enforce phishing-resistant multi-factor authentication for all externally facing account services.
