Microsoft Links 2022 WhisperGate Kyiv Attacks to Russia

Microsoft said a newly identified Russian military intelligence threat actor uses noisily destructive payloads in a bid to intimidate mostly Ukrainian targets.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

The computing giant dubbed the threat actor Cadet Blizzard and said it’s distinct from other well-known Russian military intelligence hacking groups, such as Sandworm and APT28, which is also known as Fancy Bear.

“The emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” says a blog post from Microsoft Threat Intelligence. GRU is the common acronym for the foreign intelligence branch of the general staff of Russia’s military.

Cadet Blizzard has been operational since at least 2020. It initiated the wave of destructive wiper attacks against Ukraine in the weeks and days leading up to the Kremlin’s February 2022 invasion of Ukraine. Specifically, it created and developed WhisperGate, a wiper that deletes the master boot record, Microsoft said.

Unlike some other cyberespionage threat actors, Cadet Blizzard performs disruptive attacks designed to draw attention. A wave of WhisperGate attacks in mid-January 2022 came packaged with defacements of Ukrainian government websites in a campaign that depicted itself as ransomware.

The newly identified group has a Telegram channel with the handle Free Civilian; it only has around 1,200 followers. It also has a dark web leak site of the same name that did not appear accessible as of Wednesday afternoon. Dark web monitoring firm Dark Owl in early 2022 assessed that data files offered for sale on the Free Civilian hack-and-leak site did not appear to have come from the mid-January wave of cyberattacks against Ukraine.

At the time, a Ukrainian official attributed the WhisperGate cyberattacks to a group linked to Belarusian intelligence, although he noted similarities between WhisperGate and malware deployed by APT28.

Microsoft said Cadet Blizzard has gained initial access through a variety of ways, including by exploiting “commodity vulnerabilities” in open-source platforms such as content management systems and the now-patched Microsoft Exchange ProxyNotShell vulnerability (see: Microsoft Patches ProxyNotShell Exchange Vulnerabilities).

The group uses “living off the land” techniques, which means it uses Windows system tools for its ends. It can maintain persistence on a network for months and exfiltrate data prior to triggering a disruptive action. Among its preferred targets are IT providers and software developers, because hackers can use them to infiltrate those companies’ clients.

Microsoft warns that as Russia’s invasion of Ukraine persists, Cadet Blizzard poses increasing risk to European allies of Ukraine. Friendly governments and IT service providers alike are targets of espionage, and gaining access to those sectors enables the group to carry out noisy retaliatory operations.