The U.S. government, alongside several international partners, has put a $10 million bounty on the heads of Russian hackers linked to the notorious Cadet Blizzard group. This group has been tied to the Russian military’s GRU, specifically its 161st Specialist Training Center, Unit 29155.
Since 2020, Cadet Blizzard has been behind several high-profile cyber espionage and sabotage operations targeting governments and critical infrastructure worldwide. Their focus shifted significantly after Russia’s 2022 invasion of Ukraine, with the hackers aiming to disrupt efforts to support Ukraine through cyberattacks on key sectors like government services, finance, energy, transportation, and healthcare.
Cadet Blizzard, also known by names such as Ember Bear, FROZENVISTA, and Ruinous Ursa, gained global attention in January 2022 when they deployed WhisperGate malware, a destructive tool aimed at Ukrainian institutions. WhisperGate, however, is not unique to this group, as it has been used by other cybercriminals in various attacks. Still, the damage they’ve caused is undeniable.
In June 2024, Amin Timovich Stigal, a 22-year-old Russian hacker, was indicted in the U.S. for his alleged role in launching cyberattacks against Ukraine. Stigal is believed to have collaborated with Unit 29155 to carry out these destructive attacks, leveraging WhisperGate malware.
The U.S. Department of Justice (DoJ) has gone further by charging five Russian military officers from Unit 29155 for their role in cyber intrusions aimed at Ukraine, the U.S., and 25 NATO countries. The officers charged include Colonel Yuriy Denisov, who oversees cyber operations for the unit, and lieutenants Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin. Their mission was clear: to compromise sensitive systems, steal valuable information, and sow fear and instability in their targets.
To incentivize the public, the U.S. Department of State’s Rewards for Justice program has announced a reward of up to $10 million for any information leading to the arrest of these individuals or information about their cyber activities.
Unit 29155 has a long history of carrying out sabotage, assassination plots, and influence operations throughout Europe, but in recent years, their focus has expanded to include offensive cyber operations. The unit, which comprises junior GRU officers and civilians like Stigal, is believed to carry out hacking campaigns designed to exfiltrate data, deface websites, and leak sensitive information to cause reputational damage.
Their typical attack method starts by scanning for vulnerabilities in commonly used software like Atlassian Confluence, Dahua Security products, and Sophos firewalls. Once inside a system, they use tools like Impacket for lateral movement, stealing data along the way, and eventually releasing or selling the information.
In the advisory issued by U.S. and international agencies, organizations are urged to strengthen their cybersecurity defenses by ensuring regular system updates, segmenting their networks, addressing known vulnerabilities, and adopting phishing-resistant multi-factor authentication for external accounts.
The global community continues to take these threats seriously, recognizing the escalating risks posed by state-sponsored hackers like Cadet Blizzard.