The U.S. government, along with a coalition of international partners, has officially attributed the Russian hacker group known as “Cadet Blizzard” to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center, also referred to as Unit 29155. This group, active since at least 2020, is accused of carrying out extensive cyber espionage, sabotage, and operations aimed at causing reputational harm against various global targets.
Focus on Ukraine and Global Infrastructure
Since early 2022, Cadet Blizzard’s primary objective has reportedly been to target and disrupt international efforts to aid Ukraine. The group has focused its attacks on critical infrastructure sectors, including government services, financial institutions, transportation systems, energy grids, and healthcare sectors across NATO member states, the European Union, and various countries in Central America and Asia.
The joint advisory, released last week as part of a coordinated operation named “Operation Toy Soldier,” comes from cybersecurity and intelligence authorities in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.
Background of Cadet Blizzard’s Cyber Activities
Also known by aliases such as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, the group gained notoriety in January 2022 for deploying the WhisperGate (also known as PAYWIPE) malware against several Ukrainian organizations just before Russia’s invasion of Ukraine. This malware attack was not unique to Cadet Blizzard, but they have been significantly associated with its use.
In June 2024, Amin Timovich Stigal, a 22-year-old Russian national, was indicted in the U.S. for his alleged involvement in destructive cyber attacks using this wiper malware. Meanwhile, the U.S. Department of Justice (DoJ) has charged five officers from Unit 29155 for conspiracy to commit computer intrusion and wire fraud against targets in Ukraine, the U.S., and 25 other NATO countries.
Identities of the Indicted Officers
The officers charged include:
- Yuriy Denisov (Юрий Денисов): A colonel in the Russian military and a commanding officer for Cyber Operations at Unit 29155.
- Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин): Lieutenants in the Russian military assigned to Unit 29155 involved in cyber operations.
A $10 Million Reward and Future Implications
The U.S. Department of State’s “Rewards for Justice” program has announced a reward of up to $10 million for information leading to the identification or location of the hackers or details about their malicious cyber activities.
Unit 29155 is also believed to be involved in attempted coups, sabotage, influence operations, and assassination attempts throughout Europe, alongside their offensive cyber operations since at least 2020. The goal of these intrusions includes espionage, reputational damage through data leaks, and destructive operations that compromise sensitive systems.
Tactics and Techniques Used by Cadet Blizzard
The group reportedly employs a range of cyber tactics, including website defacements, infrastructure scanning, data exfiltration, and data leak operations. Attack chains often start with exploiting vulnerabilities in software such as Atlassian Confluence Server, Dahua Security systems, and Sophos firewalls, followed by the use of Impacket for lateral movement and data extraction.
The advisory mentions the possible use of Raspberry Robin malware as an access broker and targeted attacks on Microsoft Outlook Web Access (OWA) infrastructure through password spraying techniques.
Recommendations for Organizations
Organizations are advised to prioritize system updates, address known vulnerabilities, segment networks to contain malicious activities, and enforce multi-factor authentication (MFA) resistant to phishing for all external services.
Source: https://thehackernews.com/2024/09/us-offers-10-million-for-info-on.html
