Cadet Blizzard
The GRU unit behind WhisperGate — a destructive wiper deployed against Ukrainian government agencies on January 13, 2022, one month before Russia's full-scale military invasion. Linked to GRU Unit 29155 and formally attributed by a joint advisory from the FBI, CISA, NSA, and international partners in September 2024, Cadet Blizzard combines sabotage-focused cyberattacks with hack-and-leak information operations in support of Russian military objectives.
Overview
Cadet Blizzard is a Russian nation-state threat actor operated by GRU Unit 29155, formally designated the 161st Specialist Training Center. Microsoft first tracked the group under the provisional identifier DEV-0586 after a series of destructive cyberattacks on Ukrainian government agencies in mid-January 2022. The group was formally named Cadet Blizzard in June 2023, and in September 2024, the FBI, CISA, NSA, and a coalition of international partners issued a joint advisory officially attributing Unit 29155 cyber operations to the group and detailing its activities since at least 2020.
Unit 29155 has historically been known for physical operations — assassination attempts, poisonings, bombings, and a failed coup attempt in Montenegro — rather than cyber intrusions. The expansion into offensive cyber operations is assessed to have begun no earlier than 2020. The FBI characterizes the group's cyber personnel as junior active-duty GRU officers gaining technical skills through live operational experience, supplemented by civilian contractors and known cybercriminals who serve as enablers. At least one Russian private-sector organization has been assessed to have provided material operational support, including during the WhisperGate attack.
Cadet Blizzard is a distinct group from the more established GRU-affiliated cyber actors Forest Blizzard (APT28, Unit 26165) and Seashell Blizzard (Sandworm, Unit 74455). Microsoft assesses that Cadet Blizzard operates with a lower degree of operational security than those peer groups and has achieved comparatively modest impact in its destructive campaigns. Despite this, the group remains a high-severity threat due to its explicit goal of destruction and its demonstrated willingness to execute disruptive attacks with limited operational restraint. The group operates seven days a week and conducts operations against European targets during off-business hours to maximize disruption.
Since early 2022, Cadet Blizzard's primary objective has shifted toward disrupting the international effort to provide military and logistical aid to Ukraine. The FBI has documented over 14,000 instances of domain scanning across at least 26 NATO member states and several additional EU countries, reflecting the breadth of the group's reconnaissance activity. The group sells or publicly releases stolen data to compound harm on victims already affected by destructive payloads.
Target Profile
Cadet Blizzard primarily targets Ukrainian government and information technology organizations, with secondary targeting of NATO member states and organizations involved in supporting Ukraine's defense. Targeting has expanded to include entities in Europe, Latin America, and Central Asia.
- Government agencies: Ukrainian national and regional government bodies have been the primary focus, including ministries, public-sector IT providers, and state information systems. Ukrainian government websites were defaced concurrently with WhisperGate deployments in January 2022.
- Critical infrastructure: The group targets energy, transportation, financial services, and healthcare sectors across NATO member states. The September 2024 CISA advisory documented active scanning of IP ranges belonging to government and critical infrastructure organizations in at least 26 NATO countries.
- Defense and military support: NATO members providing direct military aid to Ukraine are assessed to face elevated risk. Organizations involved in logistics chains supporting the Ukrainian defense effort have been specifically targeted since early 2022.
- Information technology providers: IT organizations that support government and defense customers are targeted as a pathway to supply chain compromise, enabling downstream access to high-value government networks.
- Healthcare: Medical records belonging to Ukrainian citizens were stolen during the initial WhisperGate campaign, with the stated purpose of sowing concern about government data security ahead of the Russian military invasion.
Tactics, Techniques & Procedures
Documented TTPs are based on the September 2024 joint CISA advisory (AA24-249A), the June 2023 Microsoft threat intelligence report, and subsequent public disclosures.
| mitre id | technique | description |
|---|---|---|
| T1595 | Active Scanning | Cadet Blizzard conducts broad IP range scanning against government and critical infrastructure organizations. The FBI has documented over 14,000 scanning instances across 26+ NATO members using publicly available tools. |
| T1190 | Exploit Public-Facing Application | Initial access is gained by exploiting known vulnerabilities in internet-facing web servers, particularly Atlassian Confluence (CVE-2021-26084), Microsoft Exchange (CVE-2022-41040, ProxyShell), Dahua Security cameras, and Sophos firewalls. |
| T1505.003 | Web Shell | The group deploys commodity web shells — P0wnyshell, reGeorg, PAS, and custom variants — immediately after gaining initial access to establish persistent backdoor access for commanding and tunneling. |
| T1003.001 | LSASS Memory Dumping | Credentials are harvested using tools such as procdump, often renamed to avoid detection (e.g., dump64.exe), enabling privilege escalation and lateral movement using stolen credentials. |
| T1021 | Lateral Movement | Post-exploitation lateral movement is conducted using Impacket, a publicly available suite of Python scripts for working with network protocols. Adminer and ldapdomaindump are used for Active Directory enumeration. |
| T1041 | Exfiltration Over C2 Channel | Sensitive data is exfiltrated to dedicated infrastructure prior to destructive payload execution. Stolen data is subsequently sold or published to public domains or dark web forums as part of information operations. |
| T1561.002 | Disk Structure Wipe | WhisperGate Stage 1 overwrites the Master Boot Record with a fake ransomware note, rendering systems unbootable. No recovery mechanism exists — destruction is the sole purpose of the payload. |
| T1485 | Data Destruction | WhisperGate Stage 2, delivered from Discord CDN, overwrites file contents with fixed 1MB byte patterns regardless of file extension, destroying data across targeted systems. |
| T1491.002 | External Defacement | Ukrainian government websites were defaced during the January 2022 campaign and again in early 2023. Defacement messages were written in Ukrainian, Russian, and Polish — a false-flag attempt to imply Polish threat actor involvement. |
| T1059 | Command and Scripting Interpreter | The group uses cmd.exe commands for lateral movement, process manipulation, and service stopping. PowerShell is also used for execution and obfuscation during intrusion operations. |
Known Campaigns
Confirmed or highly attributed operations linked to Cadet Blizzard, based on public government advisories, Microsoft threat intelligence, and court documents.
On January 13, 2022 — one month before Russian ground forces crossed the Ukrainian border — Cadet Blizzard deployed the WhisperGate destructive wiper against multiple Ukrainian government organizations. The two-stage malware overwrote Master Boot Records and corrupted file contents with no decryption mechanism, while displaying a fake ransomware note to create the appearance of a financially motivated attack. Concurrent website defacements used Polish-language text to suggest the involvement of Polish threat actors. Medical records belonging to thousands of Ukrainian citizens were stolen as part of a parallel information operation intended to erode public confidence in government systems.
Cadet Blizzard operates a hack-and-leak information operation front known as "Free Civilian," which maintains a presence on Telegram and Tor. Data exfiltrated from victim networks is published through this channel to amplify reputational and operational harm. The Free Civilian Telegram channel re-emerged in January 2023 alongside a second wave of website defacements, accompanying resumed operations against Ukrainian and European entities. The operation serves as the information operations arm of Cadet Blizzard's broader sabotage and espionage mission.
Since at least 2020, Unit 29155 cyber actors have conducted systematic scanning of IP ranges belonging to government and critical infrastructure organizations across at least 26 NATO member states and several additional EU countries. The September 2024 CISA advisory (AA24-249A) documented over 14,000 scanning instances. Sectors targeted include government services, financial services, transportation, energy, and healthcare. Since early 2022, operations have focused on disrupting aid flows to Ukraine, with NATO member states providing military support assessed as the highest-priority targets.
Court documents related to the June 2024 indictment of Amin Timovich Stigal describe a Unit 29155 intrusion into the infrastructure of an unnamed Central European country in October 2022. US government systems, including sites maintained by a US government agency in Maryland, were also probed during this period, indicating active targeting of American infrastructure concurrent with European operations.
In February 2023, CERT-UA reported a Cadet Blizzard attack against a Ukrainian state information system that leveraged a PAS web shell variant. Microsoft assessed this backdoor had been planted in prior months — demonstrating the group's practice of maintaining persistent access for extended dwell periods before executing disruptive actions. This campaign marked the group's re-emergence after a period of reduced activity following the peak operations of January–June 2022.
Tools & Malware
Known custom and commodity tools associated with Cadet Blizzard operations, drawn from the CISA joint advisory, Microsoft threat intelligence, and court filings.
- WhisperGate (PAYWIPE): Custom two-stage destructive wiper. Stage 1 (stage1.exe) overwrites the Master Boot Record and displays a fake ransomware note on boot. Stage 2 (stage2.exe) is retrieved from Discord CDN and overwrites file contents with a fixed 1MB byte pattern regardless of extension. Multiple development versions of the binaries were stored on Discord accounts. No recovery mechanism exists.
- P0wnyshell / reGeorg / PAS: Commodity web shells used for persistent backdoor access following initial exploitation. PAS variants assessed to be unique to Cadet Blizzard have been identified in CERT-UA incident reports.
- Impacket: Open-source Python library used for post-exploitation lateral movement across compromised networks, enabling SMB, MSRPC, and other protocol-based interactions without deploying additional custom tooling.
- Procdump (renamed): Used to dump credentials from the LSASS process. The group commonly renames the executable (e.g., dump64.exe) to evade detection during privilege escalation.
- Adminer / ldapdomaindump: Used for Active Directory enumeration and internal network reconnaissance after establishing a foothold. Combined with Impacket for credential-based lateral movement.
- Raspberry Robin: The CISA advisory assessed that Unit 29155 cyber actors may have used Raspberry Robin malware in an access broker role, obtaining initial network access from criminal affiliates operating dark web forums.
- SaintBot: A malware loader obtained through dark web criminal networks and used in some operations as a delivery mechanism for subsequent payloads.
Indicators of Compromise
The IOCs below are drawn from the CISA joint advisory AA24-249A (September 2024) and the June 2023 Microsoft Cadet Blizzard report. Verify currency before operational use — these were publicly disclosed and may be burned.
IOCs are stale after public disclosure. Cross-reference with the CISA AA24-249A downloadable IOC file and live threat intel feeds before applying to blocklists or detection rules.
For the full IOC list including IP addresses, domains, and additional file hashes documented in the September 2024 joint advisory, download the CISA AA24-249A IOC file directly from cisa.gov. The advisory notes significant TTP overlap with other actors due to heavy use of publicly available tools, which can complicate attribution.
Mitigation & Defense
Recommended controls for organizations in Cadet Blizzard's target profile, drawn from the CISA AA24-249A advisory and Microsoft's June 2023 threat intelligence report.
- Patch internet-facing servers immediately: Prioritize Atlassian Confluence (CVE-2021-26084), Microsoft Exchange (ProxyShell, CVE-2022-41040), Sophos firewall products, and Dahua devices. Cadet Blizzard gains initial access almost exclusively through known, unpatched vulnerabilities in perimeter-facing systems.
- Deploy phishing-resistant MFA: Enable FIDO2 or certificate-based MFA for all externally accessible services — webmail, VPN, cloud portals, and any account with access to critical systems. Credential-based lateral movement is a core component of the group's post-exploitation playbook.
- Monitor for web shell activity: Deploy detection rules for known Cadet Blizzard web shells (P0wnyshell, reGeorg, PAS variants). Alert on unexpected script files in web-accessible directories and on unusual outbound connections from web server processes.
- Detect LSASS access attempts: Monitor for tools accessing LSASS memory, including procdump and renamed variants. Enable Credential Guard where applicable. Alert on unexpected processes accessing lsass.exe and on execution of executables named with common rename patterns (dump64.exe).
- Segment networks and restrict lateral movement: Implement network segmentation to prevent spread from a compromised perimeter host to internal infrastructure. Restrict Impacket-based protocol interactions where legitimate use is limited. Apply the principle of least privilege to service accounts.
- Protect and test backups: Given the group's use of destructive payloads that overwrite MBR and file contents, maintain offline or immutable backups and regularly test restoration procedures. A functioning, tested backup is the primary recovery mechanism against wiper-class malware.
- Enable cloud-delivered endpoint protection: Turn on real-time cloud protection for endpoint detection and response platforms. This is specifically recommended by Microsoft to detect WhisperGate-style wiper behavior before execution reaches the destructive stage.
- Monitor for Discord CDN abuse: Alert on unusual executable downloads originating from Discord CDN infrastructure, which Cadet Blizzard used as a staging server for the WhisperGate Stage 2 payload.
Frequently Asked Questions
What is Cadet Blizzard?
Cadet Blizzard is a Russian nation-state threat actor linked to GRU Unit 29155 (161st Specialist Training Center). The group is best known for deploying the WhisperGate destructive wiper against Ukrainian government agencies on January 13, 2022, one month before Russia's full-scale military invasion of Ukraine. The September 2024 CISA joint advisory formally attributed Unit 29155 cyber operations to the group and documented its targeting of at least 26 NATO member states.
What is WhisperGate?
WhisperGate is a two-stage destructive wiper malware. Stage 1 overwrites the Master Boot Record with a fake ransomware note, preventing the system from booting. Stage 2, downloaded from Discord CDN, overwrites the actual contents of files with fixed 1MB byte patterns regardless of file extension. No decryption mechanism exists — the malware is designed purely for destruction, not financial extortion. The fake ransomware framing was an intentional false flag.
What is GRU Unit 29155?
GRU Unit 29155, formally the 161st Specialist Training Center, is a Russian military intelligence unit historically associated with physical sabotage operations, assassination attempts, poisonings, and a failed coup in Montenegro. Since at least 2020, the unit expanded into offensive cyber operations. The FBI assesses that Unit 29155 cyber personnel are junior active-duty GRU officers who supplement their operations with civilian contractors and criminal enablers.
Who has been indicted in connection with Cadet Blizzard?
In June 2024, Russian national Amin Timovich Stigal (22 years old) was indicted in the United States for his role in the WhisperGate attacks. The US Department of Justice also charged five GRU officers: Colonel Yuriy Denisov (commanding officer of cyber operations for Unit 29155) and lieutenants Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin. The US State Department issued a $10 million reward through its Rewards for Justice program for information on all five.
Is Cadet Blizzard the same as Sandworm or APT28?
No. Cadet Blizzard (GRU Unit 29155) is a distinct group from Sandworm/Seashell Blizzard (GRU Unit 74455) and APT28/Forest Blizzard (GRU Unit 26165). Microsoft assesses that Cadet Blizzard operates with lower operational security and has achieved comparatively smaller impact in its destructive campaigns than those more established GRU-affiliated groups. Despite this, the group remains dangerous for its willingness to execute destructive operations with limited restraint.
Sources & Further Reading
Attribution and references used to build this profile.
- CISA / FBI / NSA — AA24-249A: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure (September 2024)
- Microsoft Threat Intelligence — Cadet Blizzard Emerges as a Novel and Distinct Russian Threat Actor (June 2023)
- MITRE ATT&CK — Ember Bear / G1003 Group Profile
- The Hacker News — US Offers $10 Million for Info on Russian Cadet Blizzard Hackers (September 2024)
- BleepingComputer — US and Allies Link Russian Military Hackers to GRU Unit 29155 (September 2024)
- SOCRadar — Dark Web Profile: Cadet Blizzard (November 2024)
- Dark Reading — Russian APT Cadet Blizzard Behind Ukraine Wiper Attacks