Microsoft have released a report into a new Russian threat actor which they are tracking as Cadet Bllizzard.
The gang, formerly tracked as DEV-0586 is a distinct Russian state-sponsored threat actor which Microsoft assesses are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM).
Microsoft say that the emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape.
WhisperGate
A month before Russia invaded Ukraine, Cadet Blizzard showcased future destructive capability when it created and deployed WhisperGate against Ukrainian government organizations. WhisperGate is a destructive capability that wipes Master Boot Records (MBRs).
Cadet Blizzard is also linked to the defacement of several Ukrainian websites, as well as multiple other activities, including the hack-and-leak forum known as “Free Civilian”.
Targets
Although global in scope, Cadet Blizzard’s operations consistently affect regional hotspots in Ukraine, Europe, Central Asia, and, periodically, Latin America.
They likely prioritise targets based on requirements consistent with Russian military or intelligence objectives such as geolocation or perceived impact and continue to mainly target Ukraine.
It is very plain to see that the Russian war in Ukraine is not just a physical war, but in equal measure it is a cyber war.