Cadet Blizzard’s Activity Detection: Novel russia-Linked Nation-Backed Threat Actor Tracked as DEV-0586 Comes to the Scene

[post-views]
June 15, 2023 · 5 min read
Cadet Blizzard’s Activity Detection: Novel russia-Linked Nation-Backed Threat Actor Tracked as DEV-0586 Comes to the Scene

Since the outbreak of russia’s full-scale invasion of Ukraine, the aggressor has been targeting multiple cyber attacks against Ukraine and its allies, with a growing number of state-sponsored hacking collectives emerging and resurfacing in the cyber threat arena. During the conflict, russia’s offensive forces have launched over 2,100 attacks with disparate levels of sophistication and impact, experimenting with a wide range of adversary tools and leveraging diverse TTPs, which requires ultra-responsiveness from cyber defenders. Cybersecurity researchers have recently unveiled the malicious activity of a novel russia’a nation-backed hacking group dubbed Cadet Blizzard and tracked as DEV-0586, which is believed to be behind the notorious attack leveraging destructive WhisperGate malware.

Detect Cadet Blizzard aka DEV-0586 Malicious Activity 

Ukraine is increasingly used as a testing field for novel TTPs used by russian nation-state actors, acting as a cyber frontline for malicious counterparts who want to escalate their attacks globally. By directly cooperating with CERT-UA and SSSCIP, SOC Prime team research, develop, and test Sigma rules on the real battlefield, aggregating relevant detection algorithms and ecouraging global collaboration through SOC Prime’s Platform.

New Cadet Blizzard APT has recently come to the limelight of security researchers worldwide, however, the group has a lot in common with the malicious actor tracked by CERT-UA as UAC-0056. The hacking collective has been continuously attacking Ukrainian infrastructure through 2022-2023

To equip cybersecurity professionals with curated detection content addressing Cadet Blizzard´s TTPs, SOC Prime Platform offers a set of dedicated Sigma rules and advanced tools to enable proactive cyber defense against possible intrusions. All rules are compatible with 25+ SIEM, EDR, and XDR solutions and mapped to MITRE ATT&CK® framework v12 to help security professionals streamline the investigation and threat hunting operations.

Press the Explore Detections button below to immediately drill down to a Sigma rules bundle aimed at detecting Cadet Blizzard attacks. All the rules are accompanied by extensive metadata, including ATT&CK and CTI references. To simplify the content search, SOC Prime supports filtering by tags “Cadet Blizzard” and “DEV’0586” based on the group identifiers.

Explore Detections

Who Is Cadet Blizzard?

On June 14, 2023, Microsoft Threat Intelligent Team issued a report covering the activity of a novel russian nation-backed hacking collective identified as Cadet Blizzard or DEV-0586. Researchers have analyzed the group’s malicious activity over the past year delving insights into their offensive capabilities and TTPs. Cadet Blizzard is a russian GRU-sponsored threat group along with similar hacking collectives like Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM) also linked to GRU. However, regardless of the similarities, Cadet Blizzard be considered a distinct GRU-affiliated hacking group, which is highly likely to be behind destructive cyber attacks against Ukraine. Cadet Blizzard threat actors are believed to be linked to the deployment of WhisperGate destructive data-wiping malware affecting the IT infrastructure of Ukrainian state bodies just a month before russia’s full-fledged invasion. 

Late February 2023, CERT-UA researchers issued an alert notifying cyber defenders of the ongoing malicious activity of DEV-0586 threat actors also tracked as UAC-0056, in which adversaries applied multiple backdoors striving to disrupt the stability of government websites. Hot on the heels of the corresponding CERT-UA notice, CISA issued an alert aimed at raising cybersecurity awareness and increasing cyber vigilance in response to the growing threats linked to the aggressor’s offensive operations in the cyber threat arena. 

According to Microsoft’s research, Cadet Blizzard’s destructive activity dates back to 2020 mainly focused on GRU-led cyber espionage campaigns and information gathering with the Ukrainian IT providers and state bodies being the primary targets, however, also setting eyes on organizations in the EU, Central Asia, and Latin America. Cadet Blizzard is known to gain a foothold on impacted networks and exfiltrate data from compromised users before the active attack stage. For instance, in the attack aimed to cripple the government websites in February 2023, threat actors leveraged backdoors that had been planted months before the malicious campaign. In addition to the established links with GRU, Microsoft researchers also believe that at least one russia’s private sector organization has financially supported Cadet Blizzard’s malicious operations, including the WhisperGate campaign.

Before russia’s full-scale invasion of Ukraine, DEV-0586 threat actors were observed targeting Eastern European government entities and technology organizations in mid-spring 2021, gradually expanding the scope of their attacks.

Cadet Blizzard’s malicious toolset is rather broad combining living-off-the-land techniques, exploits for Confluence & Exchange server vulnerabilities, ProxyShell exploits, various persistence mechanisms such as webshells, exploit kits, as well as custom and commodity malware samples. Unlike the majority of russian nation-state actors that typically prefer to fly under the radar to perform cyber-espionage, Cadet Blizzard has launched a set of purely destructive operations meant to cause public resonance and act as a signal to the targets of interest. Adversaries also leverage anti-forensic techniques, for instance, by applying malicious samples that are capable of disabling Microsoft Defender Antivirus, which can pose a challenge for detecting the group’s activity.

To mitigate the threats related to Cadet Blizzard’s malicious activity, cyber defenders recommend enabling MFA and cloud-delivered protection, checking all authentication activity for remote access infrastructure to prevent potential system compromise, and following industry-best practices to improve cyber hygiene.

Rely on SOC Prime to be fully equipped with detection content against any exploitable CVE or any TTP used in the ongoing cyber attacks. Access the world’s fastest feed of security news, tailored threat intelligence, and the largest repository of curated 10,000+ Sigma rules continuously enriched with new detection ideas. Unlock the power of augmented intelligence and collective industry expertise to equip any security team member with an ultimate tool for advanced detection engineering. Identify blind spots and timely address them to ensure complete threat visibility based on the organization-specific logs without moving data to the cloud. Register to SOC Prime Platform now and empower your security team with the best tooling for a secure tomorrow. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts