Microsoft Warns of a New Russian State-Sponsored Hacker Group

vtqhtr413

Level 27
Thread author
Well-known
Aug 17, 2017
1,609
Microsoft on Wednesday took the lid off a "novel and distinct Russian threat actor," which it said is linked to the General Staff Main Intelligence Directorate (GRU) and has a "relatively low success rate." The tech giant's Threat Intelligence team, which was previously tracking the group under its emerging moniker DEV-0586, has graduated it to a named actor dubbed Cadet Blizzard.

"Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," the company said. "While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard."

"Cadet Blizzard is active seven days a week and has conducted its operations during its primary targets' off-business hours when its activity is less likely to be detected," Microsoft's Tom Burt said. "In addition to Ukraine, it also focuses on NATO member states involved in providing military aid to Ukraine." It's worth noting that Cadet Blizzard also overlaps with groups monitored by the broader cybersecurity community under the names Ember Bear (CrowdStrike), FROZENVISTA (Google TAG), Nodaria (Symantec), TA471 (Proofpoint), UAC-0056 (CERT-UA), and UNC2589 (Google Mandiant).
New Report Reveals Shuckworm's Long-Running Intrusions on Ukrainian Organizations
"The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more." Shuckworm, also known by the names Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is attributed to the Russia's Federal Security Service (FSB). It's said to be active since at least 2013.

The cyber espionage activities consist of spear-phishing campaigns that are designed to entice victims into opening booby-trapped attachments, which ultimately lead to the deployment of information stealers such as Giddome, Pterodo, GammaLoad, and GammaSteel on infected hosts. "Iron Tilden sacrifices some operational security in favor of high tempo operations, meaning that their infrastructure is identifiable through regular use of specific Dynamic DNS providers, Russian hosting providers, and remote template injection techniques," Secureworks notes in its profile of the threat actor.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top