Threat Research

Cadet Blizzard: Dark Web Profile – SOCRadar® Cyber Intelligence Inc.

SocRadar

Summary:

Cadet Blizzard (DEV-0586) is a Russian GRU-affiliated cyber threat group that has been active since at least 2020, primarily targeting Ukrainian government agencies and critical infrastructure. Following a series of cyberattacks during the 2022 Russian invasion of Ukraine, the group has expanded its operations to Europe and Latin America, employing sophisticated tactics for espionage and disruption. Their activities include data exfiltration, credential theft, and the use of custom malware like WhisperGate.

Keypoints:

  • Cadet Blizzard is linked to the Russian military intelligence agency GRU.
  • First tracked by Microsoft in early 2022 during cyberattacks on Ukraine.
  • Targets include government organizations, critical infrastructure, and NATO member states.
  • Utilizes a complex cyber kill chain for operations, including initial access, persistence, and lateral movement.
  • Employs various malware and tools, including WhisperGate, to disrupt systems and exfiltrate data.
  • Resumed operations in January 2023 after a period of reduced activity.
  • Focuses on politically motivated attacks aligned with Russia’s strategic goals.
  • Defensive measures against Cadet Blizzard include email filtering, EDR, network segmentation, and incident response planning.

MITRE Techniques

  • Gather Victim Network Information: DNS (T1590.002): Used Amass and VirusTotal to gather DNS info for subdomains of target websites.
  • Active Scanning (T1595): Utilizes open-source tools for active scanning during targeting.
  • Active Scanning: Scanning IP Blocks (T1595.001): Scans IP ranges using public tools to find victim IPs.
  • Active Scanning: Vulnerability Scanning (T1595.002): Scans for exploitable vulnerabilities in IoT devices using tools like Acunetix.
  • Search Open Technical Databases: Scan Databases (T1596.005): Uses Shodan to discover internet-connected hosts.
  • Acquire Infrastructure: Virtual Private Server (T1583.003): Uses VPS to host tools, perform recon, exploit, and exfiltrate data.
  • Obtain Capabilities: Malware (T1588.001): Obtains publicly available malware for operations, like Raspberry Robin.
  • Obtain Capabilities: Exploits (T1588.005): Uses exploit scripts from GitHub to attack victim infrastructure.
  • Valid Accounts: Default Accounts (T1078.001): Uses default usernames and passwords to access IP cameras.
  • Exploit Public-Facing Application (T1190): Exploits vulnerabilities in public-facing apps like CVE-2021-33044.
  • Command and Scripting Interpreter: PowerShell (T1059.001): Executes commands and operational tasks via PowerShell.
  • Server Software Component: Web Shell (T1505.003): Deploys web shells for persistent access.
  • OS Credential Dumping: LSASS Memory (T1003.001): Exfiltrates LSASS memory dumps to retrieve credentials.
  • OS Credential Dumping: Security Account Manager (T1003.002): Dumps usernames and hashed passwords from the SAM.
  • Brute Force: Password Spraying (T1110.003): Uses password spraying on Microsoft OWA infrastructure to collect credentials.
  • Unsecured Credentials: Credentials in Files (T1552.001): Dumps configuration files from IP cameras to collect credentials.
  • Network Service Discovery (T1046): Uses Nmap scripts to discover and scan other machines in the network.
  • Log Enumeration (T1654): Enumerates and exfiltrates SYSTEM and SECURITY logs.
  • Use Alternate Authentication Material: Pass the Hash (T1550.002): Uses Pass-the-Hash for SMB authentication.
  • Email Collection (T1114): Compromises mail servers to exfiltrate emails.
  • Video Capture (T1125): Exfiltrates images from IoT devices like IP cameras.
  • Data from Information Repositories: Confluence (T1213.001): Leverages Through the Wire to target Confluence servers.
  • Archive Collected Data (T1560): Compresses data to exfiltrate files or system information.
  • Proxy: Multi-hop Proxy (T1090.003): Uses ProxyChains for multi-hop proxy to anonymize traffic.
  • Application Layer Protocol: Web Protocols (T1071.001): Sends payloads via POST requests over HTTP.
  • Application Layer Protocol: DNS (T1071.004): Uses DNS tunneling (e.g., dnscat/2, Iodine) for communication.
  • Non-Application Layer Protocol (T1095): Uses reverse TCP connection for communication.
  • Ingress Tool Transfer (T1105): Transfers Meterpreter payload for command execution.
  • Protocol Tunneling (T1572): Uses OpenVPN and GOST for traffic tunneling to anonymize activities.
  • Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002): Exfiltrates data to cloud storage services like MEGA using Rclone.
  • Data Destruction (T1485): Destroys data as part of their disruptive operations.

IoC:

  • No IoC Found.

Full Research: https://socradar.io/dark-web-profile-cadet-blizzard/

Tags: EDR, EXFILTRATION, LATERAL MOVEMENT, PASSWORD, VULNERABILITY, PROXY, TOOL, EMAIL