The First Frost: Cadet Blizzard

Threat Intelligence Tarot

Vol. II · 89

Russia (GRU Unit 161)

G1003

★★★★★

risk 4/5

✦ The First Frost ✦

Cadet Blizzard

DEV-0586 · Ember Bear · UAC-0056

UkraineGovernmentCritical infrastructureNATO-adjacent organizations

Active since ~2020 · Destruction, Psychological operations, Disruption

The First Frost arrives before the storm, killing quietly what was green. It is not the war but the herald: the wiper that clears the battlefield of digital memory before the tanks arrive at the border.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1485

Data Destruction

Impact

T1561.002

Disk Wipe

Impact

T1486

Data Encrypted for Impact

Impact

T1059.003

Windows Command Shell

Execution

T1195

Supply Chain Compromise

Initial Access

T1566.001

Spearphishing Attachment

Initial Access

T1070

Indicator Removal

Defense Evasion

Notable Operations

◆WhisperGate wiper attack (January 2022, days before Russian invasion)
◆Ukrainian government website defacements
◆Data destruction across Ukrainian ministries
◆Precursor operations to kinetic military action

Defenses

▸
Immutable offline backups tested monthly for restoration capability
CIS Control 11 ↗
▸
Privileged access workstations for administrative operations
CIS Control 6 ↗
▸
Spearphishing simulation and phishing-resistant MFA
NIST CSF: PR.AT ↗
▸
Supply chain security reviews for software update mechanisms
CIS Control 2 ↗

Reversed: Their Weakness

Its operations are most effective in the chaos of surprise. Organizations with immutable, offline backups tested regularly can recover from disk wipe attacks without permanent data loss.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Key Forger Next →The Patient Inheritor

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.