Researchers from Microsoft Threat Intelligence has released a detailed report on a previously tracked threat actor (DEV-0586), now dubbed as Cadet Blizzard originated from Russia.
Microsoft believes Cadet Blizzard to be associated with the Russian General Staff Main Intelligence Directorate (GRU) and operates separately from other known GRU-affiliated groups.
Though the group’s activities may be less prolific than other threat actors, their destructive campaigns have targeted government organizations and IT providers primarily in Ukraine, with occasional operations in Europe and Latin America.
Cadet Blizzard predominantly achieved initial access by exploiting web servers and vulnerabilities in Confluence servers, Exchange servers and open-source platforms. They achieved the persistence on networks using web shells like P0wnyshell and reGeorg, escalated privileges through living-off-the-land techniques and harvested credentials.
Cadet Blizzard reportedly conducted lateral movement with obtained network credentials and modules from the Impacket framework, while C2 was achieved via socket-based tunneling utilities and occasionally Meterpreter.
To maintain operational security, Cadet Blizzard used anonymization services like IVPN, SurfShark and Tor. They employed anti-forensics techniques and carried out destructive actions, including data exfiltration, deploying malware, hack-and-leak operations and information operations through Tor sites and Telegram channels.
Activities linked to Cadet Blizzard indicate that they are comprehensive in their approach and have demonstrated an ability to hold networks at risk of continued compromise for an extended period. A thorough incident response approach may be necessary to effectively address and recover from the activities carried out by Cadet Blizzard.
More information on the research notes can be found here
Mitigation Measures
- Review all authentication activity for remote access infrastructure to confirm authenticity and investigate any anomalous activity.
- Enable MFA to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
- Enable controlled folder access (CFA) to prevent MBR/VBR modification.
- Block process creations originating from PSExec and WMI commands to stop lateral movement.
- Turn on cloud-delivered protection.
Indicators of Compromise
- justiceua[.]org
- 179.43.187[.]33
- 3a2a2de20daa74d8f6921230416ed4e6
- 3e4bb8089657fef9b8e84d9e17fd0d7740853c4c0487081dacc4f22359bade5c
- 20215acd064c02e5aa6ae3996b53f5313c3f13625a63da1d3795c992ea730191
- 3fe9214b33ead5c7d1f80af469593638b9e1e5f5730a7d3ba2f96b6b555514d4
- 23d6611a730bed886cc3b4ce6780a7b5439b01ddf6706ba120ed3ebeb3b1c478
- 7fedaf0dec060e40cbdf4ec6d0fbfc427593ad5503ad0abaf6b943405863c897
