Microsoft linked the hacking attacks to a new group of russia’s Main Intelligence Directorate

Since April 2023, Microsoft has linked a threat group it tracked as Cadet Blizzard to the Main Directorate of the General Staff of the russian Armed Forces (also known as the GRU). This is reported by Bleeping Computer.

The company had previously linked the hacking group to the WhisperGate data destruction attacks in Ukraine that began on January 13, 2022, more than a month before the February 2022 Russian invasion of Ukraine.

Cadet Blizzard was also behind the defacement of Ukrainian websites in early 2022 and several hacking and data leakage operations were promoted on the Telegram channel known as “Free Civilian”.

The group is believed to have launched in 2020, targeting government services, law enforcement, non-profit/non-governmental organizations, IT service providers/consultants, and emergency services in Ukraine.

“Microsoft assesses that Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM),” says Microsoft’s message.

The company claims that Cadet Blizzard’s attacks have a lower success rate compared to other hacking groups linked to the GRU, such as APT28 (Strontium, Fancy Bear) and Sandworm (Iridium).

While Cadet Blizzard fell off the radar after June 2022, the group resurfaced in early 2023, with its more recent cyber operations seeing occasional success. However, they still failed to match the impact their GRU counterparts’ attacks achieved.

Since the 2022 defacements and data-wiping attacks and starting in February 2023, the GRU hacking group has been behind a barrage of attacks targeting Ukrainian government organizations and IT providers.

For instance, Redmond linked at least one incident in a series of breaches reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in February, saying that it found evidence of backdoors planted by Russian state hackers on multiple government websites following breaches going as far back as December 2021.

CERT-UA linked the attacks to ​Ember Bear, a group that it believes has been active since at least March 2021, with attacks targeting Ukrainian organizations with information stealers, backdoors, and data wipers camouflaged as ransomware primarily delivered via phishing emails.

Microsoft also believes that Cadet Blizzard also focuses on NATO member countries that provide military aid to Ukraine.

We will remind you that in the spring the German police said that it stopped the activities of a russian-linked cybercriminal group, which for years blackmailed large companies and institutions, earning millions of euros. Working with law enforcement partners including Europol, the FBI, and Ukrainian authorities, Düsseldorf police said they were able to identify 11 people linked to the group, which has operated under various names since at least 2010.