Reward Offered by U.S. for Information regarding Russian Cadet Blizzard Hackers Behind Significant Attacks Reaches $10 Million
The U.S. administration and an alliance of global allies have officially linked a Russian hacking syndicate identified as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
“These digital actors are accountable for online operations against worldwide targets with the intention of espionage, disruption, and damaging reputation since at least 2020,” as stated by the authorities mentioned.
“Starting from early 2022, these cyber operatives seem to be concentrating on obstructing efforts to provide assistance to Ukraine.”
The attacks have been aimed at critical infrastructure and essential resource areas, such as government services, financial services, transport networks, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian nations.
The collaborative advisory, issued last week as part of a synchronized effort named Operation Toy Soldier, originates from cybersecurity and intelligence agencies in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.
Cadet Blizzard, also recognized as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for launching the destructive WhisperGate (also known as PAYWIPE) malware against multiple Ukrainian victim organizations before the full-fledged military invasion of the country by Russia.
In June 2024, a 22-year-old Russian citizen named Amin Timovich Stigal was formally accused in the U.S. for his purported involvement in orchestrating damaging cyber assaults against Ukraine using the wiper malware. However, the use of WhisperGate is claimed to not be exclusive to this group.
The Department of Justice (DoJ) of the United States has subsequently filed charges against five officers connected to Unit 29155 for conspiring to perpetrate computer intrusion and wire fraud conspiracy against targets in Ukraine, the U.S. and 25 other NATO countries.
The identities of the five officers are detailed below:
- Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155
- Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations
“The defendants did so in order to instill worry among Ukrainian citizens concerning the security of their governmental systems and personal information,” explained the DoJ. “The defendants specifically targeted Ukrainian Government systems and data not related to military or defense. Later targets extended to computer systems globally that supported Ukraine.”
Concurrent with the indictment, the U.S. Department of State’s Rewards for Justice program has publicized a reward of up to $10 million for details on the whereabouts of any of the accused or their harmful cyber endeavors.
It is evident that Unit 29155 is responsible for planned coups, wreckage, influence operations, and assassination efforts across Europe, with the adversary broadening their scope to include aggressive cyber operations since at least 2020.
The ultimate objective of these digital intrusions is to gather sensitive data for espionage, cause reputational harm by leaking the said information, and carry out harmful activities that seek to disrupt systems containing valuable data.
Unit 29155, according to the advisory, likely consists of junior, active-duty GRU officers, who also enlist the services of known cyber felons and other civilian aides like Stigal to facilitate their missions.
These actions include site defacement, network scanning, data extraction, and data leakage operations where the information is disclosed on public websites or sold to other entities.
The attack sequences start with scanning activities that exploit known vulnerabilities in Atlassian’s Confluence Server and Data Center, Dahua Security, and Sophos’ firewall to penetrate targeted environments, followed by leveraging Impacket for subsequent exploitation and lateral movement, culminating in the extraction of data to dedicated infrastructure.
“The digital actors may have utilized Raspberry Robin malware acting as an access intermediary,” as highlighted by the agencies. “The targets’ Microsoft Outlook Web Access (OWA) infrastructure was attacked with password spraying to acquire valid account credentials.”
Organizations are advised to give precedence to regular system updates, rectify known exploited vulnerabilities, segment networks to prevent the spread of harmful activity, and enforce MFA to mitigate phishing risks for all outward-facing account services.
About Author
