Microsoft identifies new hacking group controlled by Russian intelligence

A hacking group that has carried out attacks targeting organizations in Europe, Latin America and Central Asia has been linked to Russia’s military intelligence agency, according to new research.

Microsoft said Wednesday that the group, which it calls Cadet Blizzard, played a significant role at the beginning of Russia’s cyberwar against Ukraine. About a month prior to the invasion, the group deployed WhisperGate malware, which targeted numerous Ukrainian government computers and websites, while Russian tanks and troops were surrounding the Ukrainian borders waiting to start the offense.

Last year, Ukrainian cybersecurity officials along with their allies from the U.K. and the U.S. attributed the WhisperGate attack to units operating under the Russian military intelligence agency known as the GRU, but they did not disclose additional details.

According to Microsoft’s report, Cadet Blizzard operates independently from other GRU-affiliated hacking groups, such as Sandworm. The group is responsible for destructive attacks, cyber espionage, hack-and-leak operations, and defacement attacks — incidents where hackers modify the visual appearance of a website.

Microsoft considers the emergence of a novel GRU-affiliated actor “a notable development in the Russian cyber threat landscape.” According to the researchers, Cadet Blizzard’s cyber operations align with Russia's wider military goals in Ukraine but also pose a danger to NATO countries that provide military aid to Ukraine.

Who is Cadet Blizzard?

Cadet Blizzard has been operating since at least 2021, but Microsoft has started tracking it since the deployment of WhisperGate in January 2022.

WhisperGate masqueraded as ransomware but instead of offering an opportunity to pay a ransom it simply wiped infected devices. WhisperGate had some similarities to the NotPetya wiper that targeted Ukrainian businesses in 2017.

In addition to WhisperGate, Cadet Blizzard is also linked to the defacement of several Ukrainian government websites and a hack-and-leak operation, when hackers leaked and posted stolen Ukrainian government data on darknet websites.

The group was most active between January and June 2022 but it continues to perform destructive attacks, espionage, and information operations against Ukraine and its allies. The group mostly targets government organizations and information technology providers in Ukraine, but some of its targets are located elsewhere in Europe and Latin America.

Unlike other Russian-linked groups that prefer to remain undetected to perform espionage, Cadet Blizzard cyberattacks are extremely disruptive and most likely intended to intimidate their targets, Microsoft said.

Cadet Blizzard’s attacks are not as prolific and sophisticated as Sandworm’s, according to Microsoft, but they are designed to hamper network operations and expose sensitive information.

Microsoft warned that organizations should be wary of Cadet Blizzard’s activity as the group compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions.

As the war continues, Cadet Blizzard poses an increasing risk to the European community, according to Microsoft, specifically, any successful attacks against governments and IT service providers, “which may give the actor tactical and strategic-level insight into Western operations and policy surrounding the conflict.”