Cadet Blizzard (also tracked as Ember Bear, Bleeding Bear, DEV-0586, Storm-0586, Frozenvista, UNC2589, TA471, and MITRE ATT&CK G1040) is a Russian state-sponsored sabotage-and-destruction-focused cyber cluster attributed by formal ten-country joint Cybersecurity Advisory AA24-249A (September 5, 2024) to "29155 Cyber Actors" within GRU Unit 29155, the Russian Main Intelligence Directorate 29155th Unit historically associated with sabotage, assassination, and influence operations including the 2018 Salisbury nerve-agent poisoning of Sergei and Yulia Skripal, the 2014 Czech Vrbětice ammunition depot bombing, and the 2016 Montenegro coup-attempt plot. The September 2024 attribution at the GRU-Unit-29155 level is high-confidence, jointly issued by US FBI / CISA / NSA / State Department / Treasury, UK NCSC, Estonian RIA + Välisluureamet, Latvian SAB, Lithuanian NCSC, Polish ABW, Czech Military Intelligence + BIS, Canadian Centre for Cyber Security, German BSI, and Ukrainian SBU. The ten-country attribution places Cadet Blizzard at the top tier of formally-attributed Russian-state- cyber clusters alongside APT28 (GRU Unit 26165), APT29 (SVR), Sandworm (GRU Unit 74455), Turla (FSB Centre 16), Dragonfly (FSB Centre 16), Gamaredon (FSB Centre 18), and Star Blizzard (FSB Centre 18). GRU Unit 29155 represents the broader GRU military-intelligence sabotage directorate's pivot into cyber operations alongside its kinetic and influence portfolios. The unit is operationally distinct from GRU Unit 74455 (Sandworm, Main Centre for Special Technologies, focused on destructive cyber operations against critical infrastructure including the 2015-2016 Ukrainian electric-grid attacks, the 2017 NotPetya wiper, and the 2018 Olympic Destroyer attack on the Pyeongchang Winter Olympics, already covered as sandworm_team.yaml) and from GRU Unit 26165 (APT28 / Fancy Bear, focused on cyber-espionage and information operations including the 2016 DNC intrusion and the 2018 World Anti-Doping Agency operations, already covered as apt28_fancybear. yaml). Unit 29155's cyber portfolio is conceptually positioned as sabotage-and-influence-operations adjacent to its kinetic sabotage activity rather than as either pure espionage or pure destructive cyber-warfare. The foundational reference event for the cluster is the WhisperGate destructive-malware deployment of January 13-14, 2022 against approximately 70 Ukrainian government, IT, and financial- services organizations. WhisperGate operated as a Master Boot Record (MBR) wiper disguised as ransomware: the malware overwrote the victim machine's MBR with a ransom note and then proceeded to destroy file contents using a second-stage component. The ransomware decoy was deliberately deceptive, the malware was designed for destruction rather than financial extortion. The WhisperGate deployment occurred approximately six weeks before Russia's February 24, 2022 full-scale invasion of Ukraine and represented one of the first publicly-documented pre-invasion Russian cyber-sabotage operations. WhisperGate was accompanied by mass defacement of Ukrainian government websites with anti- Ukrainian messaging. Operationally Cadet Blizzard's toolkit centers on the WhisperGate MBR wiper, defacement tooling, destructive batch and PowerShell scripts, web shells (China Chopper, custom), and conventional living-off-the-land tooling (Cobalt Strike Beacon, Mimikatz, Impacket, PsExec, CrackMapExec). Initial access patterns include spear-phishing with weaponized Office documents and exploitation of public-facing vulnerabilities, the September 2024 advisory documented exploitation of approximately fifteen specific CVEs across Confluence, VMware, Outlook, Microsoft Office, Ivanti, Zimbra, and other public-facing-software vulnerabilities. A defining cluster characteristic is the dual portfolio of destructive operations alongside intelligence collection, the cluster does not operate as a pure espionage cluster (like APT28, APT29, Turla, Star Blizzard) and does not operate at the scale of Sandworm's industrial-control-system-targeted destructive operations. Cadet Blizzard occupies a distinct operational niche consistent with GRU Unit 29155's broader sabotage-and-influence mission profile. A handful of operational notes: First, the cluster's vendor-naming proliferation (Cadet Blizzard / Ember Bear / Bleeding Bear / DEV-0586 / Storm-0586 / Frozenvista / UNC2589 / TA471) reflects more than two years of fragmented pre- consolidation vendor tracking. Modern reporting should default to "Cadet Blizzard" as the Microsoft-canonical name.
"Ember Bear" remains the CrowdStrike-canonical name. Second, the cluster is operationally distinct from Sandworm (GRU Unit 74455, already covered as sandworm_team.yaml). The two clusters share Russian state sponsorship and destructive-cyber- operations mission elements but operate under different GRU units with different historical missions and different operational portfolios. Sandworm's signature destructive operations (BlackEnergy, Industroyer, NotPetya, Olympic Destroyer, HermeticWiper, CaddyWiper, Industroyer2, AcidRain) operate at substantially higher technical tier and broader scale than Cadet Blizzard's WhisperGate-class operations. Third, the September 2024 ten-country joint attribution event was the most comprehensive coordinated Western attribution of a Russian cyber cluster to date in terms of number of participating countries (ten plus EU), exceeding even the December 2023 Star Blizzard attribution (six participating countries) and the March 2022 Dragonfly DOJ indictment (US-only at the indictment level). The breadth of the attribution reflects sustained Cadet Blizzard targeting of Central, Eastern, and Northern European NATO member states alongside North American targets. Fourth, the cluster's relationship to Lorec53, a separately- tracked Russian-aligned cluster sometimes proposed as a Cadet Blizzard predecessor or adjacent cluster, remains analytically open. Treat as adjacent but separate unless reporting explicitly identifies cross-cluster overlap.