Cadet Blizzard

cadet-blizzard · primary source: Microsoft · first observed 2019

RU · RussiaState-sponsoredModerate confidencelast cited Jan 14, 2022 · 4y ago

Russian state-sponsored intrusion set publicly assessed by Microsoft as associated with the GRU but operationally distinct from Forest Blizzard (APT28) and Seashell Blizzard (Sandworm). Conducted the January 2022 WhisperGate destructive wiper operation against Ukrainian government and IT-services targets in the weeks preceding Russia's full-scale invasion. Microsoft assesses 'at least one Russian private sector organization has materially supported' Cadet Blizzard operations.

Aliases

DEV-0586MicrosoftEmber BearCrowdStrikeUAC-0056OtherBleeding BearOther

Motivations

destructionespionageinformation operations

Target sectors

governmenttechnologyeducationngo

Target countries

UAGEPLCZ

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

Cadet Blizzard
Russia
destruction
espionage
information operations

Capability

Infrastructure

—

Victim

government
technology
education
UA
GE
+1 more

MITRE ATT&CK techniques

T1485 T1561.002 T1190 T1059.001

Tools & malware

1 entry

WhisperGateWiper

Timeline

1 event

CompromiseCritical2022-01-15·Microsoft Threat Intelligence
Cadet Blizzard deploys WhisperGate wiper against Ukrainian government
Microsoft Threat Intelligence (then MSTIC) disclosed the WhisperGate destructive-malware operation against multiple Ukrainian government, IT services, and NGO organizations, tracked at the time as DEV-0586 and later named Cadet Blizzard. WhisperGate masqueraded as ransomware but wrote a fake ransom message and irretrievably corrupted disks. The operation immediately preceded Russia's full-scale invasion by approximately five weeks.
wiperdestructiveukrainegru

Indicators of compromise

2 indicators

defangedcsv

Type	Value	First seen	Source
SHA-256	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 family · WhisperGate WhisperGate stage2.exe - the file-corruption stage that overwrites files matching a hardcoded extension list, downloaded over Discord CDN. Hash from Microsoft MSTIC via CISA / FBI AA22-057A Table 1.	Jan 12, 2022	CISA
SHA-256	a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 family · WhisperGate WhisperGate stage1.exe - MBR-corrupting destructive payload disguised as ransomware, deployed against Ukrainian organisations from 13 January 2022. Hash from Microsoft MSTIC, republished in CISA / FBI AA22-057A Table 1. Microsoft renamed the responsible actor Cadet Blizzard (DEV-0586) in June 2023 and attributed it to a GRU subgroup.	Jan 12, 2022	CISA

Related actors

shared ATT&CK techniques

IR · IranHomeland Justice3 shared techniques
IR · IranVoid Manticore3 shared techniques
KP · DPRKAndariel2 shared techniques
- T1059.001
- T1190
CN · ChinaAPT402 shared techniques
- T1059.001
- T1190
CN · ChinaHafnium2 shared techniques
- T1059.001
- T1190
RU · RussiaRomCom2 shared techniques
- T1059.001
- T1190

References

Cadet Blizzard emerges as a novel and distinct Russian threat actor
Microsoft Threat Intelligence · 2023-06-14

cite this page

Threat Intel Tracker. (2026-05-19). Cadet Blizzard — actor profile. Retrieved from https://threatintel.local/actors/cadet-blizzard

latest cited activity · 2022-01-15 · 2 cataloged indicators