Cadet Blizzard [1] [3] [4] [5], also known as Ember Bear [5], is a Russian hacking group attributed to the GRU 161st Specialist Training Center (Unit 29155) [5], responsible for cyber attacks since at least 2020.

Description

The group has targeted critical infrastructure and key sectors in NATO [5], EU [3] [5], Central American [2] [5], and Asian countries [5], with a recent focus on disrupting aid to Ukraine [5]. WhisperGate (PAYWIPE) malware was deployed by the group in Ukraine, as well as network operations against multiple NATO members across Europe and North America [2]. Five officers associated with Unit 29155 have been indicted for conspiracy to commit computer intrusion and wire fraud [5], with the US Rewards for Justice program offering a reward for information on them [5]. Unit 29155 engages in espionage, sabotage [3] [5], and influence operations [5], with a focus on offensive cyber operations since 2020 [5]. Known vulnerabilities are exploited by the group to breach victim environments, exfiltrate data [5], and conduct data leak operations [5]. Organizations are advised to prioritize system updates [5], segment networks [5], and enforce phishing-resistant multi-factor authentication [5]. German intelligence has accused the GRU of cyberattacks on NATO and EU states [3], with Unit 29155 running a cyber-group targeting critical infrastructure globally [3]. The group is suspected of leading high-profile operations across Europe and is associated with foreign assassinations and destabilizing Western countries [3]. Heightened anxiety follows numerous suspected Russian hacking and espionage activities since Moscow’s invasion of Ukraine in February 2022 [3]. The joint advisory by CISA [2], NSA [2], and FBI warns of the increasing threat posed by Russia-affiliated actors [2], highlighting the ongoing offensive operations conducted by Unit 29155 [2]. Unit 29155 [1] [2] [3] [4] [5], also known as Cadet Blizzard [1] [3], has expanded its activities to include offensive cyber operations targeting government agencies [1], financial services [1], transportation systems [1], energy [1], and healthcare sectors [1]. The group uses common red teaming techniques and publicly available tools for their cyber operations [1], including CVE exploit scripts from GitHub repositories [1]. They are known to use malware loaders like Raspberry Robin and SaintBot [1], and maintain accounts on dark web forums to obtain hacker tools [1]. The US Department of Justice has indicted five GRU hackers and a civilian accomplice [1], offering a reward of up to $10 million for information on their whereabouts or cyber activities [1]. The advisory recommends using MITRE ATT&CK techniques to test existing security controls and mitigate the risk of Unit 29155 attacks [1]. Unit 29155 [1] [2] [3] [4] [5], previously known for physical tactics [4], has transitioned to cyber operations with the help of non-GRU actors [4], including cyber-criminals and enablers [4].

Conclusion

The activities of Cadet Blizzard, also known as Ember Bear [5], pose a significant threat to global cybersecurity. It is crucial for organizations to implement robust security measures, such as system updates, network segmentation, and multi-factor authentication [5], to protect against cyber attacks. The ongoing offensive operations conducted by Unit 29155 highlight the need for continued vigilance and collaboration among international cybersecurity agencies to mitigate the risk of future attacks.

References

[1] https://www.helpnetsecurity.com/2024/09/06/unit-29155/
[2] https://socprime.com/blog/unit-29155-attacks-detection/
[3] https://www.aljazeera.com/news/2024/9/9/german-intelligence-accuses-russias-gru-of-cyberattacks-on-nato-eu-states
[4] https://thecyberwire.com/newsletters/daily-briefing/13/171
[5] https://thehackernews.com/2024/09/us-offers-10-million-for-info-on.html