Microsoft has identified a new cyber threat actor called Cadet Blizzard, associated with the Russian GRU (military intelligence service), and attributed a series of cyberattacks targeting government agencies and IT service providers in Ukraine to the group. These attacks, which started in February 2023, are linked to the WhisperGate data-wiping attacks observed prior to Russia's invasion in January 2022.
Cadet Blizzard employs stolen credentials to breach perimeter servers and uses web shells and living-off-the-land techniques to maintain access and move laterally within networks. The group's focus includes Ukraine, NATO member states supporting Ukraine, and other organisations in Europe and Latin America.
Microsoft reports that while not as successful as other GRU-affiliated actors, Cadet Blizzard has recently gained some traction. Microsoft has shared detailed technical information to help the security community identify and defend against these attacks. The company has been assisting Ukraine in its cybersecurity efforts and has revised its naming system for threat actors, using weather event names such as 'Blizzard' for Russian actors.