Hackers Linked To Russian GRU Are Targeting NATO States Providing Aid To Ukraine, Microsoft Reveals

A group of hackers behind a number of cyberattacks against Ukraine and its Western allies this year and in 2022 has links to Russia, Microsoft has claimed.

Microsoft's threat intelligence teams said the recent wave of cyberattacks they detected came from what they dubbed "Cadet Blizzard," a group of hackers affiliated with the Russian Main Intelligence Directorate (GRU).

In a blog post, the tech company revealed that Cadet Blizzard is targeting Ukraine and member-states of the North Atlantic Treaty Organization (NATO) which provide military assistance to the war-torn country.

Microsoft claimed that the hacking group was behind the destructive WhisperGate wiper attacks against Ukraine in January 2022, before Russia launched its invasion of the country. The group was also responsible for the attacks against Ukraine websites early last year, according to the company.

Microsoft said it believes Cadet Blizzard also targeted "a range of organizations in Europe and Latin America" and has been operating since 2020.

The company warned that the Russian hacking group is always active in cyberspace and "has conducted its operations during its primary targets' off-business hours when its activity is less likely to be detected."

Cadet Blizzard uses stolen passwords and credentials to breach internet servers that are less well-protected, according to Microsoft. The group also uses web shells to maintain access and employs "living off the land" techniques through legitimate commands to move laterally across its targets' networks, the company added.

The technique allows Cadet Blizzard to hide in legitimate network traffic, "making its activities harder to detect," Microsoft said.

However, Cadet Blizzard appeared less effective than other hacking groups associated with Russia.

"Cadet Blizzard's January 2022 WhisperGate attack affected an order of magnitude fewer systems and delivered comparatively modest impact, despite being trained to destroy the networks of their opponents in Ukraine," Microsoft said.

"Cadet Blizzard's activity spiked between January and June of 2022, dissipated, and re-emerged in early 2023. The more recent Cadet Blizzard cyber operations, although occasionally successful, similarly failed to achieve the impact of those conducted by its GRU counterparts," the company added.

Last month, Ukraine's cybersecurity chief said Russia has carried out cyberattacks against Ukraine since the war began more than a year ago.

In an interview with The Record, Yurii Shchyhol, the chief of the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), noted that Russian hackers are "changing their attack vectors and targets," after they noticed that the cyberattacks on Ukrainian commerce, finance and defense sectors "significantly decreased" this year.

Shchyhol revealed that Russian cyberattacks are now focused on critical targets, such as Ukraine's energy sectors, and they have also observed a surge in supply chain attacks against software manufacturers.

"These attacks are highly complex and demand greater levels of training, knowledge, skills, and abilities to execute successfully," Shchyhol said.

The Ukrainian cybersecurity chief said they received assistance from major tech companies such as Microsoft, ESET and Cisco to counter Russian cyberattacks.

Shchyhol also revealed that they are working with Palantir, a U.S.-based data analytics company. He said Palantir's capabilities are "incredibly helpful," especially when it comes to "providing essential information" for their operations.

SSSCIP also developed a secure, closed-source messenger for Ukraine's state and military communication system amid Russia's continued military assault.