"Microsoft Names Russian Threat Actor Cadet Blizzard"

Microsoft Threat Intelligence has recently shed light on a previously tracked threat actor (DEV-0586), now known as “Cadet Blizzard.”  Microsoft believes Cadet Blizzard to be associated with the Russian General Staff Main Intelligence Directorate (GRU) and operates separately from other known GRU-affiliated groups.  Microsoft noted that while the group’s activities may be less prolific than other threat actors, their destructive campaigns have targeted government organizations and IT providers primarily in Ukraine, with occasional operations in Europe and Latin America.  From a technical standpoint, Cadet Blizzard predominantly achieved initial access by exploiting web servers and vulnerabilities in Confluence servers, Exchange servers, and open-source platforms.  Microsoft noted that they then achieved persistence on networks using web shells like P0wnyshell and reGeorg, escalated privileges through living-off-the-land techniques, and harvested credentials.  To maintain operational security, Cadet Blizzard used anonymization services like IVPN, SurfShark, and Tor.  They employed anti-forensics techniques and carried out destructive actions, including data exfiltration, deploying malware, hack-and-leak operations, and information operations through Tor sites and Telegram channels.

Infosecurity reports: "Microsoft Names Russian Threat Actor Cadet Blizzard"