Cadet Blizzard Hackers Linked to GRU, U.S. Offers $10 Million for Information

• Russian hackers Cadet Blizzard were connected to the General Staff Main Intelligence Directorate in a joint operation.
• The U.S. offers a $10 million reward for details on the threat actor via the Rewards for Justice program.
• Cadet Blizzard gained notoriety for deploying the WhisperGate malware against Ukrainian systems.

The notorious Russian hacking group Cadet Blizzard was linked to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center, also known as Unit 29155, according to a new report from the Federal Bureau of Investigation (FBI).

Agencies from the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K. have attributed Cadet Blizzard's operations to efforts originating from Unit 29155. 

The U.S. Department of State's Rewards for Justice program offers up to $10 million for actionable intelligence on the hackers' whereabouts or further malicious endeavors.

The unit engages in extensive data infiltration and leaking operations, aiming to disrupt and damage systems strategically. These activities are complemented by broader psychological operations destabilizing public trust and governance structures.

Cadet Blizzard employs a sophisticated attack chain, starting with exploiting vulnerabilities in platforms like Atlassian Confluence and Sophos firewalls. Employing tools like Impacket for lateral movement, the group has effectively exfiltrated sensitive data to custom infrastructures.

The threat actors have been active since 2020, focusing on espionage, sabotage, and reputational damage. Since early 2022, the group's attacks have increasingly focused on thwarting aid to Ukraine. Targets span sectors critical to NATO and EU nations, ranging from government services to healthcare.

Known by several monikers, including Ember Bear, FROZENVISTA, and Ruinous Ursa, the group gained notoriety for deploying the WhisperGate malware against Ukrainian systems as Russia prepared for its full-scale invasion. They also used Raspberry Robin malware and targeted victims' Microsoft Outlook Web Access (OWA) infrastructure with password spraying.

In June 2024, Amin Timovich Stigal, a 22-year-old Russian, was indicted for his involvement in these cyber assaults, marking a significant step in ongoing legal proceedings.

Five GRU officers—Yuriy Denisov, Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin—face charges related to conspiracy in computer intrusions and wire fraud against Ukrainian and NATO-aligned targets.

Organizations are urged to implement robust security protocols paramount in mitigating such sophisticated threats: regular software updates, network segmentation, and multi-factor authentication.