bitcoin$86,066 USD/$73,282 EUR/$64,344 GBP/$118,638 CAD/$130,334 AUDmonero$418 USD/$356 EUR/$313 GBP/$576 CAD/$633 AUDlitecoin$76 USD/$65 EUR/$57 GBP/$105 CAD/$115 AUDethereum$2,828 USD/$2,408 EUR/$2,114 GBP/$3,898 CAD/$4,282 AUDbitcoin$86,066 USD/$73,282 EUR/$64,344 GBP/$118,638 CAD/$130,334 AUDmonero$418 USD/$356 EUR/$313 GBP/$576 CAD/$633 AUDlitecoin$76 USD/$65 EUR/$57 GBP/$105 CAD/$115 AUDethereum$2,828 USD/$2,408 EUR/$2,114 GBP/$3,898 CAD/$4,282 AUDbitcoin$86,066 USD/$73,282 EUR/$64,344 GBP/$118,638 CAD/$130,334 AUDmonero$418 USD/$356 EUR/$313 GBP/$576 CAD/$633 AUDlitecoin$76 USD/$65 EUR/$57 GBP/$105 CAD/$115 AUDethereum$2,828 USD/$2,408 EUR/$2,114 GBP/$3,898 CAD/$4,282 AUDbitcoin$86,066 USD/$73,282 EUR/$64,344 GBP/$118,638 CAD/$130,334 AUDmonero$418 USD/$356 EUR/$313 GBP/$576 CAD/$633 AUDlitecoin$76 USD/$65 EUR/$57 GBP/$105 CAD/$115 AUDethereum$2,828 USD/$2,408 EUR/$2,114 GBP/$3,898 CAD/$4,282 AUD
The $10 Million Dox: U.S. Puts a Price on GRU Unit 29155 ('Cadet Blizzard')

The $10 Million Dox: U.S. Puts a Price on GRU Unit 29155 ('Cadet Blizzard')

15 min Read | 0 Comments

State Department Drops the Hammer

The era of anonymous state-sponsored sabotage is ending. In a coordinated move involving the FBI, CISA, and international intelligence partners, the U.S. State Department's 'Rewards for Justice' program has announced a bounty of up to $10 million for information leading to the identification or location of the relentless Russian hacking collective known as Cadet Blizzard (also tracked as Ember Bear, Ruinous Ursa, or Bleeding Bear). This represents a significant escalation; the U.S. is no longer just mitigating the attacks, they are actively hunting the operators behind the keyboards.

Attribution: Unit 29155 Unmasked

For years, analysts tracked 'Cadet Blizzard' as a distinct threat cluster. The U.S. government has now officially attributed this group to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center, specifically Unit 29155. This attribution is critical.

Kinetic and Digital Convergence

Unit 29155 is not a standard desk-job hacking team. Historically, this unit has been linked to kinetic operations, including foreign assassinations, sabotage, and coup attempts in Europe. Their pivot to cyber operations marks a dangerous evolution in Russian military doctrine, blending physical espionage with digital destruction.

The WhisperGate Operation

The primary catalyst for this manhunt was the group's activity leading up to the 2022 invasion of Ukraine. In January 2022, Cadet Blizzard deployed WhisperGate, a malicious payload designed to look like ransomware.

Destruction, Not Extortion

Unlike standard cybercriminal gangs who encrypt files for profit, WhisperGate was a wiper. It lacked a recovery mechanism. The ransom note was a psychological operations (PSYOP) tactic designed to sow fear and confusion. The goal was the total destruction of Ukrainian government and critical infrastructure data. The indictment also highlights their role in website defacements and 'hack-and-leak' operations aimed at destabilizing trust in the Ukrainian state.

The Targets: A Global Scope

While Ukraine was the primary theater, the indictment reveals that Cadet Blizzard's scanning and targeting operations extended globally. Since 2020, the group has targeted critical infrastructure sectors—government, energy, transportation, and healthcare—across NATO member states, the European Union, Central Asia, and Latin America. The DoJ specifically noted targets within the United States, including a government agency in Maryland, indicating that the unit was probing U.S. domestic defenses.

TTPs: How They Operate

For the technical observer, Cadet Blizzard's Tactics, Techniques, and Procedures (TTPs) reveal a mix of brute force and known exploits. They are not necessarily developing zero-days but are highly efficient at weaponizing N-days.

  • Initial Access: Heavy reliance on exploiting known vulnerabilities (CVEs) in public-facing applications (such as Atlassian Confluence) and SQL injection attacks.
  • Credential Harvesting: Utilizing password spraying attacks, specifically targeting Microsoft Outlook Web Access (OWA) infrastructure.
  • Tools: Deployment of the Raspberry Robin worm as an access broker and various open-source tools for lateral movement (Impacket, CrackMapExec).
  • Exfiltration: Data is stolen not for profit, but for public release to cause reputational harm.

The Indicted: Names and Faces

The U.S. Department of Justice has unsealed charges against five GRU officers and one civilian asset, effectively burning their operational status.

The Civilian: Amin Timovich Stigal

A notable inclusion is 22-year-old Russian citizen Amin Timovich Stigal. Indicted in June 2024, Stigal is accused of conspiring with the GRU to execute the wiper attacks. His involvement underscores the GRU's reliance on civilian contractors to augment their cyber capabilities.

The Military Command

The indictment also names five officers of Unit 29155: Col. Yuriy Denisov (the commander), and lieutenants Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin. These individuals are now internationally wanted fugitives, permanently grounded within Russian borders.

Analyst's Conclusion

The $10 million bounty is symbolic of a massive OpSec failure on the part of the GRU. For the U.S. to name specific officers and civilians means their communications were compromised, or their infrastructure was thoroughly mapped by Western intelligence. While these hackers remain out of reach in Moscow, their digital impunity has evaporated. They are no longer shadows; they are known entities with a price on their heads.

Discussion 0

Leave a Reply

CAPTCHA
No comments yet.