Home/Threat Actor/WhisperGate
Threat Actor

WhisperGate

whispergate · russia_apt_cadet_blizzard · active since 2021-12

WhisperGate (canonical Microsoft Threat Intelligence Center MSTIC naming per January 15, 2022 disclosure "Destructive malware targeting Ukrainian organizations" + Microsoft alternative PAYWIPE + Microsoft Defender detection DoS:Win32/WhisperGate.A!dha) is a destructive Master Boot Record (MBR) wiper masquerading as ransomware deployed January 13-14, 2022 against Ukrainian government, the first publicly-disclosed wiper of the 2022 Ukraine wartime wiper cluster, preceding Russia's February 24, 2022 invasion of Ukraine by approximately one month.

Russian state- sponsored APT attribution via Cadet Blizzard / DEV-0586 / Ember Bear / UNC2589 / FROZENVISTA / Nodaria / TA471 / UAC-0056 operator naming convergence (Microsoft elevated DEV-0586 to named Cadet Blizzard with formal Russian GRU attribution June 14, 2023, per MITRE Group G1003 attribution to Russia GRU 161st Specialist Training Center Unit 29155, operationally separate from Sandworm/Seashell Blizzard parent per Microsoft; curated separately as cadet_blizzard parent operator); standalone malware platform cluster paralleling hermeticwiper + caddywiper in Ukraine 2022 wartime wiper cell distinct from cadet_blizzard parent; 3-stage attack architecture comprising Stage 1 MBR wiper masquerading as ransomware (executed on system power-down) + Stage 2 stage2.exe downloader fetching next-stage from hardcoded Discord channel URL + Stage 3 malicious file corrupter.

cluster-defining ransomware-disguise tradecraft echoing NotPetya June 2017 pattern per ESET/F-Secure Calvin Gan analysis, specific Bitcoin wallet address in ransom note (rare for criminal ransomware) + Tox ID-only communication method (rare) + no custom victim ID + no functional decryption mechanism = pure destructive cyberweapon disguise (single hardcoded Bitcoin wallet received only one small transfer January 14, 2022 per Microsoft); operational target profile included multiple Ukrainian government ministries + ICT services + non-profit organizations + emergency services + law enforcement, with attackers penetrating Ukrainian government networks via shared software supplier supply-chain attack per private-sector cybersecurity expert in Kyiv (signature Cadet Blizzard "compromise one, compromise many" tradecraft)

concurrent information operations including defacements of multiple Ukrainian organization websites + hack-and-leak Free Civilian Telegram channel (~1,200 followers) + dark web leak site (per Dark Owl assessment, leaked files did not come from WhisperGate- targeted organizations)

CISA + FBI joint advisory February 28, 2022 warning of WhisperGate + HermeticWiper destructive malware spreading in connection to Russian invasion.

Microsoft June 14, 2023 canonical Cadet Blizzard naming + Russia GRU attribution: "A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations", per Microsoft "Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard".

signature living-off-the-land techniques post-initial-access for lateral movement + credential collection + defense evasion + persistence (weeks-to-months network maintenance before destructive payload trigger)

MITRE ATT&CK Group G1003 Ember Bear attribution + September 5, 2024 Five Eyes joint advisory on Russian military cyber actors targeting US critical infrastructure reinforcing Russia GRU Unit 29155 attribution chain; cluster fills first wiper position in 2022 Ukraine wartime wiper chronology: WhisperGate January 2022 - HermeticWiper February 23, 2022 - IsaacWiper February 24, 2022 - CaddyWiper March 14, 2022 - Industroyer2 April 8, 2022.

canonical illustration of pre-invasion strategic-preparation-phase cyber-attack pattern + cluster-defining MBR-wiper-masquerading-as- ransomware tradecraft cited in essentially all subsequent 2022+ Ukraine wiper industry analyses through 2022-2026 period.

russia_apt_cadet_blizzard confidence: high 14 aliases
Sigma rules200 YARA rules4 Live IOCs0 CVEs exploited2

Profile

WhisperGate (canonical Microsoft Threat Intelligence Center MSTIC naming per January 15, 2022 disclosure + Microsoft alternative naming PAYWIPE + Microsoft Defender detection DoS:Win32/WhisperGate.A!dha) is a destructive Master Boot Record (MBR) wiper masquerading as ransomware deployed January 13-14, 2022 against Ukrainian government, the first publicly-disclosed wiper of the 2022 Ukraine wartime wiper cluster, preceding Russia's February 24, 2022 invasion of Ukraine by approximately one month. Russian state-sponsored APT attribution via Cadet Blizzard / DEV-0586 / Ember Bear (curated separately as cadet_blizzard parent operator cluster) operator naming convergence, per MITRE Group G1003: Russia GRU 161st Specialist Training Center (Unit 29155). Microsoft June 14, 2023 elevated DEV-0586 to named Cadet Blizzard with formal GRU attribution.

Standalone malware platform cluster paralleling hermeticwiper + caddywiper in the Ukraine 2022 wartime wiper cell distinct from cadet_blizzard parent operator cluster (paralleling how BlackEnergy + NotPetya + Industroyer + Olympic Destroyer are standalone malware platform clusters distinct from sandworm_team parent operator).

Operational attack architecture: (1) 3-stage malware chain
  • Stage 1: MBR wiper masquerading as ransomware (executed on system power-down)
  • Stage 2: stage2.exe downloader fetching next-stage from Discord channel-hosted URL.
  • Stage 3: malicious file corrupter (2) Ransomware-disguise tradecraft (cluster- defining): echoes NotPetya pattern per ESET, specific Bitcoin wallet address in ransom note (rare for criminal ransomware) + Tox ID-only communication method (rare) + no custom victim ID + no functional decryption mechanism = destructive cyberweapon disguise. (3) Supply chain attack vector: per private-sector cybersecurity expert in Kyiv, attackers penetrated Ukrainian government networks via shared software supplier supply-chain attack. (4) Concurrent information operations: website defacements + Free Civilian hack-and-leak Telegram channel + dark web leak site. Operational target profile per Microsoft + Bleeping Computer + Bank Info Security:.
  • Ukrainian government organizations (primary, ministries + ICT services)
  • Non-profit organizations + emergency services + law enforcement.
  • IT service providers + software developers, consistent supply chain "compromise one, compromise many" technique.
  • Single hardcoded Bitcoin wallet address received only one small transfer January 14, 2022 (consistent with ransomware-disguise rather than financial motivation) Signature operational tradecraft:.
  • MBR-wiper-masquerading-as-ransomware (cluster- defining): echoes NotPetya June 2017 pattern.
  • 3-stage attack architecture with Discord channel- hosted next-stage payload.
  • Specific Bitcoin wallet + Tox ID-only ransom note pattern: signature operational distinct from criminal ransomware.
  • Supply chain compromise vector: shared software supplier.
  • Pre-invasion timing (signature strategic preparation): ~1 month before Russian invasion.
  • Living-off-the-land techniques post-initial-access: lateral movement + credential collection + defense evasion + persistence.
  • Long-period network maintenance: weeks-to-months persistence before triggering destructive payload.
  • Concurrent information operations: website defacements + Free Civilian hack-and-leak The cluster fills the first wiper position in the 2022 Ukraine wartime wiper chronology: WhisperGate January 2022.
  • HermeticWiper February 23, 2022.
  • IsaacWiper February 24, 2022.
  • CaddyWiper March 14, 2022.
  • Industroyer2 April 8, 2022. Operationally significant as canonical illustration of pre-invasion strategic-preparation-phase cyber-attack pattern.

Aliases

14
whispergatewhisper gatewhispergate_malwarewhispergate_wiperpaywipewin32 whispergatedos win32 whispergateesetlinux trojan agent waf wiperwhispergate january 2022 ukrainewhispergate mbr wiperwhispergate first 2022 ukraine wiperstage2 exe whispergate downloaderdiscord channel hosted whispergate next stagewhispergate ransomware disguise

Notable Campaigns

9
2024MITRE ATT&CK Ember Bear G1003 + Five Eyes Joint Advisory September 2024
2023February 2023 Renewed Cadet Blizzard Activity
2023Microsoft Cadet Blizzard Canonical Naming (June 14, 2023)
2022-2026Continued Industry Reference Status (2022-2026)
2022WhisperGate Deployment (January 13-14, 2022)
2022Microsoft MSTIC Canonical Disclosure (January 15, 2022)
2022CISA + FBI Joint Advisory (February 28, 2022)
2022Free Civilian Hack-and-Leak Telegram Channel + Website Defacements (Early-Mid 2022)
2021WhisperGate Development (Late 2021)

Attribution & Reporting

Attributed by
Microsoft Threat Intelligence Center MSTIC (canonical January 15, 2022 disclosure + June 14, 2023 Cadet Blizzard naming)Microsoft Defender Antivirus + Microsoft Defender for Endpoint (DoS:Win32/WhisperGate.A!dha detection)Mandiant (UNC2589 tracking)CrowdStrike (Ember Bear canonical tracking)Google Threat Analysis Group TAG (FROZENVISTA tracking)Symantec (Nodaria tracking)Proofpoint (TA471 tracking)CERT-UA Ukrainian Computer Emergency Response Team (UAC-0056 tracking)SentinelOne (canonical destructive malware industry analysis)ESET WeLiveSecurity (canonical "A year of wiper attacks in Ukraine" February 24, 2023 + WhisperGate context)F-Secure (Calvin Gan canonical NotPetya-similarity analysis)Unit 42 (Palo Alto Networks, spear-phishing campaign attribution)CISA Cybersecurity and Infrastructure Security Agency (February 28, 2022 joint advisory)FBI Federal Bureau of Investigation (February 28, 2022 joint advisory)SecurityWeek (canonical industry reporting)Bleeping Computer (canonical Microsoft Cadet Blizzard reporting)The Hacker News (canonical attribution evolution reporting)Bank Info Security (canonical Microsoft Cadet Blizzard reporting June 2023)SC Media (canonical Microsoft naming evolution reporting)Hive Pro (canonical Cadet Blizzard threat advisory June 2023)MITRE ATT&CK Group G1003 (Ember Bear / Cadet Blizzard official ATT&CK entry)MITRE ATT&CK Software S0689 (WhisperGate)
Key reporting
reportMicrosoft Threat Intelligence Center MSTIC: Destructive malware targeting Ukrainian organizations (January 15, 2022), canonical WhisperGate disclosure
reportMicrosoft Threat Intelligence: Cadet Blizzard emerges as a novel and distinct Russian threat actor (June 14, 2023), canonical Cadet Blizzard naming + Russia GRU attribution
reportBleeping Computer: Microsoft links data wiping attacks to new Russian GRU hacking group, canonical Cadet Blizzard reporting
reportThe Hacker News: Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent, canonical attribution evolution
reportSecurityWeek: Microsoft Uncovers Destructive Malware Used in Ukraine Cyberattacks (January 16, 2022), canonical first-day industry reporting
reportSecurityWeek: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine (June 14, 2023)
reportSC Media (Stephen Weigand): Microsoft identifies, names new Russian-sponsored threat group
reportBank Info Security: Microsoft Links 2022 WhisperGate Kyiv Attacks to Russia (June 15, 2023)
reportESET WeLiveSecurity: A year of wiper attacks in Ukraine (February 24, 2023), canonical 2022 Ukraine wiper compilation
reportMandiant / Google Cloud Threat Intelligence Group: UNC2589 canonical tracking
reportCrowdStrike: Ember Bear canonical tracking
reportGoogle Threat Analysis Group (TAG): FROZENVISTA tracking
reportSymantec: Nodaria tracking
reportProofpoint: TA471 tracking
reportCERT-UA Ukrainian Computer Emergency Response Team: UAC-0056 tracking
reportUnit 42 (Palo Alto Networks): Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot (February 25, 2022)
reportHive Pro: Unveiling Cadet Blizzard APT's Wiper Attacks Targeting Ukraine (June 15, 2023)
reportCISA + FBI + Five Eyes: Joint advisories on WhisperGate + Cadet Blizzard (multiple dates 2022-2024)
reportMITRE ATT&CK Group G1003: Ember Bear (Cadet Blizzard) attribution to Russia GRU Unit 29155
reportMITRE ATT&CK Software S0689: WhisperGate
reportMalpedia Software Profile: WhisperGate

Operational

State sponsor

Russian state-sponsored APT, specifically Cadet Blizzard / DEV-0586 / Ember Bear (curated separately as cadet_blizzard parent operator cluster).

Per Microsoft Threat Intelligence Center (MSTIC) canonical April 2023 weather-taxonomy renaming: DEV-0586
  • Cadet Blizzard. Per MITRE ATT&CK Group G1003: Ember Bear is "Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155)." Attribution chain: (1) Microsoft Threat Intelligence Center MSTIC canonical January 15, 2022 disclosure: published "Destructive malware targeting Ukrainian organizations" establishing canonical WhisperGate naming + DEV-0586 tracking + MBR-wiper-masquerading-as-ransomware characterization. Per MSTIC initial assessment: "no notable associations between this observed activity (tracked as DEV-0586) and other known activity groups." (2) Microsoft June 14, 2023 Cadet Blizzard canonical attribution: per Microsoft via Bleeping Computer + Bank Info Security + The Hacker News: Microsoft elevated DEV-0586 to named actor "Cadet Blizzard", formally attributed to Russian Main Directorate of the General Staff of the Armed Forces (GRU). Per Microsoft: "A month before Russia invaded Ukraine, Cadet Blizzard foreshadowed future destructive activity when it created and deployed WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations." Per Microsoft: "Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM)", Cadet Blizzard distinct from Sandworm parent (curated as sandworm_team). (3) MITRE ATT&CK Group G1003 Ember Bear attribution: MITRE established Russia GRU 161st Specialist Training Center (Unit 29155) attribution. CrowdStrike Ember Bear naming + Google TAG FROZENVISTA + Symantec Nodaria + Proofpoint TA471 + CERT-UA UAC-0056 + Mandiant UNC2589 all overlap with Cadet Blizzard tracking. (4) Ukrainian government attribution January 2022: Ukraine said publicly it had "evidence" Russia was behind the attacks. A Ukrainian official initially attributed WhisperGate to a group linked to Belarusian intelligence, though noted similarities to APT28 malware. Final consensus: Russia GRU. (5) CISA + FBI February 28, 2022 advisory: US government joint advisory warning of WhisperGate + HermeticWiper destructive malware spreading in connection with Russia's invasion of Ukraine. Operational mission objective: Per Microsoft: "designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain ransom payments." Operationally functions as destructive cyberweapon disguised as ransomware in pattern echoing NotPetya June 2017, per Calvin Gan (F-Secure) to SecurityWeek: "WhisperGate or DEV-0586 as Microsoft calls it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware." Per Microsoft: "Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion. While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard.
" Operational target profile
  • January 13-14, 2022 attack: multiple Ukrainian government organizations + ICT services + non-profit organizations + emergency services.
  • Per private-sector cybersecurity expert in Kyiv: "attackers penetrated the government networks through a shared software supplier in a supply-chain attack".
  • Pre-invasion timing: ~1 month before Russia's February 24, 2022 invasion of Ukraine, pre-invasion cyber-attack signature of strategic preparation phase.
  • Concurrent activity: defacements of multiple Ukrainian organization websites + hack-and-leak "Free Civilian" forum operations The cluster fills the first wiper position in the 2022 Ukraine wartime wiper chronology: WhisperGate January 2022.
  • HermeticWiper February 23, 2022.
  • IsaacWiper February 24, 2022.
  • CaddyWiper March 14, 2022.
  • Industroyer2 April 8, 2022.
Motivations
ukrainian_government_disruption_pre_invasion_strategic_preparation, first_wiper_of_2022_ukraine_wartime_wiper_cluster_capability_demonstration, destructive_cyberweapon_disguised_as_ransomware_no_recovery_mechanism, cadet_blizzard_signature_disruptive_capability_demonstration, master_boot_record_wiper_capability_demonstration, russian_strategic_objective_ukrainian_government_destabilization, information_operations_via_concurrent_website_defacements_and_free_civilian_hack_and_leak
Sectors
ukrainian_government_organizationsukrainian_ministriesit_service_providerssoftware_developersnon_profit_organizationsnon_governmental_organizationsemergency_serviceslaw_enforcementcritical_infrastructure_operators
Regions
ukraineeastern_europe

Techniques Used

60
T1003T1003.001T1005T1010T1014T1016T1018T1021T1021.001T1021.002T1021.006T1027T1027.002T1027.005T1027.010T1033T1036T1036.001T1036.004T1036.005T1037T1039T1047T1053T1053.005T1056T1057T1059T1059.001T1059.003T1059.005T1068T1069T1070T1070.001T1070.004T1071T1071.001T1074T1078T1080T1082T1083T1087T1090T1095T1102T1102.001T1102.002T1106T1119T1129T1133T1134T1140T1190T1195T1195.001T1195.002T1199

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)30/60 · 50%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MASTER BOOT RECORD MBR OVERWRITESAINTBOT RELATED CADET BLIZZARD TOOLING

CVEs Exploited

2
CVECVE-2022-41040
CVECVE-2022-41082
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin