Thursday, 15 June 2023 12:59

Microsoft Reveals new GRU Related Threat Group with Low Success Rate

Written by

Reading time is around minutes.

On Wednesday Microsoft’s threat group unveiled information about a new Russian Threat Group with ties to the GRU. As part of the announcement, they also noted that the group has a low success rate and poor operational security. The group, which Microsoft is now tracking under the name Cadet Blizzard seems to focus on service disruption, destructive campaigns and information gathering. Microsoft noted that they appear to be a combination of technically skilled, but lacking direction and sophistication.

According to Microsoft this group has been in operation since at least 2020 and has run campaigns in Europe, Ukraine, Central Asia and even Latin America. Most of these3 campaigns have been haphazard with the intent being disruption of destruction of data and services. This makes them dangerous, but perhaps not as much of a focused threat as more advanced cybercrime groups from the region.

Building a profile on the group suggests that they either look for targets of opportunity or are fed short lead time targets by other sources. Once they have their target the only goal is destruction or disruption. It is unlikely that they care if there are identified, but they do want to try and get the job done. The low success rate could indicate that they are not an organized group, but one that might work in small cells of random individuals as needed for the assigned or identified task (we call these Frat Party Groups). They are certainly state sponsored but are not at the same operational level of other organizations even outside of the Russian Government. By contrast state sponsored groups in China and North Korea operate at a much more sophisticated level even when the goal is a target of opportunity.

Cadet Blizzard, while not as organized or sophisticated as many other groups is a strategic risk. It seems that they may have been created as a tactical response group for pre-war or wartime efforts. This means that their focus would, by necessity, be either demoralization through defacement campaigns, or disruption/destruction of services. They would not need to be delicate in these operations as they are less of a long-term effort and more intended to hit fast and hard before the shooting starts or to support a ground campaign. This would account for their poor operational security; their low success rate is likely to improve over time as they dial in their techniques and develop better tools for initial access. Once this is done, they have proven they can live off the land using existing or common tools to complete their missions.

Effective protections from this group are what you would expect; effective vulnerability management and patching, proper security tools for detection and response, application firewalls with effective policies for any publicly exposed websites and/or applications. Nothing spectacular, but all things that tend to be lacking all too often.

Read 512 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.