New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
A newly discovered Russian state-sponsored threat group has targeted a large swath of industries, especially in NATO member states and Ukraine, part of a global espionage campaign in support of Moscow’s interests, Microsoft Threat Intelligence said in a Tuesday blog post.
Laundry Bear, a group Microsoft tracks as Void Blizzard, has attacked multiple governments and critical infrastructure providers since at least 2024. Dutch intelligence and security services agencies on Tuesday said the group infiltrated the Netherlands’ national police force’s systems in September 2024 and stole work-related contact details on police staff.
“We have seen this hacker group successfully gain access to sensitive information from a large number of government organizations and companies worldwide,” Peter Reesink, director of the Netherlands’ Ministry of Defense, said in a statement Tuesday, according to a translation. “Laundry Bear is looking for information about the purchase and production of military equipment by Western governments and Western deliveries of weapons to Ukraine.”
The group’s initial access methods lack sophistication, yet the group has gained access to and stolen data from multiple organizations in critical sectors.
“While Void Blizzard’s tactics, techniques, and procedures are not unique among advanced persistent threat actors or even Russian nation state-sponsored groups, the widespread success of their operations underscores the enduring threat from even unsophisticated TTPs when leveraged by determined actors seeking to collect sensitive information,” Microsoft threat researchers said in the blog post.
Void Blizzard has engaged in espionage targeting government agencies, defense suppliers, and organizations in communications, IT, health care, education, media and transportation since mid-2024, according to Microsoft.
“The threat actor uses stolen credentials — which are likely procured from commodity infostealer ecosystems — and collects a high volume of email and files from compromised organizations,” Microsoft threat researchers said. The group likely obtains cookies and other credentials from criminal ecosystems for password spray attacks, Microsoft added.
Void Blizzard uses these credentials to gain initial access to Exchange and SharePoint Online for intelligence gathering. The group then abuses legitimate cloud APIs to sift through mailboxes and cloud-hosted files prior to automating bulk theft of cloud-hosted data, Microsoft said.
In some cases, the group has accessed Microsoft Teams conversations and messages, and cataloged Microsoft Entra ID configurations to gain information about users, roles, groups, applications and devices belonging to that account.
Microsoft Threat Intelligence in April identified a Void Blizzard adversary-in-the-middle spear-phishing campaign that targeted more than 20 non-governmental agencies in Europe and the United States. In those attacks, the threat group used a typosquatted domain to spoof Microsoft Entra authentication.
“This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors,” Microsoft said.
Microsoft declined to answer questions about how many attacks have been attributed to Void Blizzard to date and how much the group’s threat activity levels have increased in the past year.
Laundry Bear has targeted “virtually all countries” in the European Union and NATO, Dutch intelligence and security agencies said in a cybersecurity advisory, adding that the group has also attacked organizations in Eastern and Central Asia.
Dutch officials said Laundry Bear operates at a high pace and described the group as “very successful,” compared to some other Russian state-sponsored threat groups.
