Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

Laundry Bear and Void Blizzard: Unmasking Russia's New Email-Stealing Cyber-Spy Crew

10:42 AM   |   28 May 2025

Laundry Bear and Void Blizzard: Unmasking Russia's New Email-Stealing Cyber-Spy Crew

Unmasking Laundry Bear: A New Russian Cyber-Espionage Threat Emerges

In the ever-evolving landscape of state-sponsored cyber activity, intelligence agencies and cybersecurity firms are constantly working to identify and track the groups operating in the shadows. Recently, a significant development emerged from the Netherlands and Microsoft, shedding light on a previously unknown Russian-linked cyber-espionage crew. This group, dubbed Laundry Bear by Dutch intelligence services and Void Blizzard by Microsoft, has been actively targeting a range of critical organizations across Europe and North America since at least April 2024.

The joint efforts of the Netherlands General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD), alongside Microsoft Threat Intelligence, have painted a clear picture of Laundry Bear's activities. Their primary objective appears to be espionage, focusing on gathering sensitive information from targets deemed valuable to the Russian government. These targets include Dutch police, NATO member states, Western technology companies, and organizations providing support to Ukraine.

According to a joint advisory issued by the AIVD and MIVD, Laundry Bear has, to date, exclusively engaged in non-destructive cyberattacks. This aligns with a typical espionage profile, where the goal is covert data exfiltration rather than disruption or damage. The Dutch services first encountered the group during an investigation into a credential-stealing incident targeting Dutch police in September 2024, highlighting the group's focus on law enforcement and government entities.

Strategic Targeting: Critical Sectors and Geopolitical Interests

Laundry Bear's targeting strategy is highly indicative of state-sponsored objectives. Beyond law enforcement, the group has compromised organizations within the defense, aerospace, and space technology sectors. These are companies involved in producing military equipment, making them prime targets for intelligence gathering related to military capabilities and supply chains. Furthermore, the group has targeted firms specializing in high-end technologies that Russia struggles to acquire due to international sanctions. This suggests an economic espionage motive intertwined with strategic national interests, aiming to circumvent restrictions and bolster Russia's technological base.

Microsoft Threat Intelligence corroborated these findings in their own report, identifying the group as Void Blizzard. Microsoft's observations extend to attacks against Ukrainian aviation organizations in October 2024. This particular targeting is noteworthy, as the same organization had previously been targeted by Seashell Blizzard, also known as Sandworm, another notorious Russian-intelligence-linked group active since 2022. This overlap in targeting suggests a coordinated or complementary effort among different Russian state-sponsored actors, focusing on entities critical to Ukraine's defense and infrastructure.

The scope of Void Blizzard's activities is broad, regularly attempting to compromise government organizations and law enforcement agencies across Europe and North America. Their targeting also extends to a wide array of critical sectors, including:

  • Telecommunications
  • Defense Industrial Base
  • Healthcare
  • Education
  • Information Technology (IT)
  • Transportation
  • Media
  • Non-Governmental Organizations (NGOs)

Microsoft emphasized the heightened risk posed by Void Blizzard's prolific activity against critical sectors, particularly for NATO member states and countries allied with Ukraine. The intelligence gathered from these sectors could provide Russia with valuable insights into military capabilities, political strategies, economic vulnerabilities, and logistical operations related to the conflict in Ukraine.

Tactics and Techniques: From Stolen Credentials to Cloud Abuse

Laundry Bear/Void Blizzard employs a combination of opportunistic and targeted techniques to gain initial access and achieve their espionage goals. A common entry vector involves the use of stolen credentials. These credentials are often acquired from "commodity infostealer ecosystems," which are underground markets where login information compromised by various malware campaigns is traded. By leveraging these readily available credentials, the group can bypass initial authentication layers and gain a foothold within target networks.

Once inside, the group's primary objective is data collection, with a strong focus on email and files. Microsoft's analysis indicates that the attackers collect a "high volume" of this data, suggesting a dragnet approach to information gathering, likely followed by filtering and analysis to extract valuable intelligence.

Expanding the Arsenal: Spear-Phishing and Typosquatting

While credential theft remains a core tactic, Microsoft observed Void Blizzard expanding its playbook as recently as April 2025. The group has incorporated targeted spear-phishing attacks aimed specifically at credential theft. A notable campaign targeted over 20 NGOs in Europe and the US. In this operation, the attackers impersonated organizers of a legitimate-sounding event, the "European Defense and Security Summit."

The spear-phishing emails contained a malicious PDF attachment. This PDF was designed not to deliver malware directly, but to lure recipients into an adversary-in-the-middle (AitM) phishing trap. AitM attacks are particularly dangerous because they can intercept not only usernames and passwords but also multi-factor authentication (MFA) codes and session cookies, allowing attackers to bypass robust authentication mechanisms.

The trap involved a QR code within the PDF, which redirected victims to attacker-controlled infrastructure. This infrastructure was hosted on a typosquatted domain, specifically `micsrosoftonline[.]com`. Typosquatting involves registering domain names that are slight variations or common misspellings of legitimate domains (like `microsoftonline.com`) to trick users into visiting malicious sites. The typosquatted domain hosted a convincing phishing page that mimicked the Microsoft Entra (formerly Azure Active Directory) login portal.

The attackers utilized the open-source Evilginx kit to power this AitM setup. Evilginx is a powerful phishing framework designed to facilitate the interception of credentials and session cookies, making it highly effective against targets using MFA. This adoption of typosquatting and AitM techniques represents a newly observed tactic for the group, indicating an evolution towards more targeted and sophisticated initial access methods. Microsoft warned that this shift increases the risk for organizations in critical sectors, as these methods are harder to detect and defend against than simpler phishing attempts.

Abusing Cloud Services for Data Exfiltration

A key characteristic of Laundry Bear/Void Blizzard's post-compromise activity is their abuse of legitimate cloud APIs. Once they have gained access to a victim's cloud environment, they leverage services like Exchange Online and Microsoft Graph to systematically snoop through mailboxes, including shared mailboxes, and access cloud-hosted files. This allows them to automate the bulk collection and exfiltration of sensitive data stored in the cloud.

Microsoft Threat Intelligence also reported observing the group accessing Microsoft Teams conversations and messages via the Microsoft Teams web client application in a small number of compromises. This highlights the group's interest in communication data, which can provide valuable intelligence on internal discussions, plans, and relationships.

Furthermore, the attackers have been observed using publicly available tools like AzureHound to enumerate the compromised organization's Microsoft Entra ID configuration. AzureHound is a tool used for mapping relationships within Azure AD environments, similar to how BloodHound is used for on-premises Active Directory. By using AzureHound, the attackers can gain a detailed understanding of the victim's cloud identity infrastructure, including users, roles, groups, applications, and devices. This reconnaissance helps them identify high-value targets, understand access permissions, and plan further lateral movement or data exfiltration activities within the cloud environment.

Laundry Bear vs. Fancy Bear: Distinct but Similar

While the tactics employed by Laundry Bear/Void Blizzard – credential theft, phishing, cloud abuse, reconnaissance – are common among many state-sponsored espionage groups, particularly those linked to Russia, both Microsoft and the Dutch intelligence services assert that Laundry Bear is a distinct entity separate from other known Russian Advanced Persistent Threats (APTs).

The Dutch advisory specifically noted that attacks by LAUNDRY BEAR frequently overlap with the modus operandi of APT28, also widely known as Fancy Bear, Pawn Storm, Strontium, or Forest Blizzard. Fancy Bear is another prominent GRU-linked group with a long history of targeting Western governments, military organizations, and critical infrastructure. Since 2022, Fancy Bear has been particularly active against logistics providers, tech companies, and government organizations involved in providing transport and foreign assistance to Ukraine.

Just the week prior to the announcement about Laundry Bear, a joint advisory from 21 government agencies across the US, UK, Canada, Germany, France, Czech Republic, Poland, Austria, Denmark, and the Netherlands sounded the alarm on an ongoing Fancy Bear campaign. This campaign targeted email servers and internet-connected cameras at Ukrainian border crossings, specifically to track aid shipments – a clear espionage objective related to the conflict.

The similarities between Laundry Bear and Fancy Bear include a similar target selection and the use of techniques like password spraying (a brute-force attack where a single password, or a small list of common passwords, is tried against many accounts). Despite these overlaps, the Dutch services maintain that "LAUNDRY BEAR and APT28 are two different actors." This distinction is crucial for threat intelligence and defense, as it implies a potentially expanding landscape of Russian state-sponsored cyber capabilities or a division of labor among different groups with similar objectives.

The identification of a new, distinct group like Laundry Bear underscores the persistent and evolving nature of Russian state-sponsored cyber threats. These groups continue to refine their techniques, incorporating new tools and tactics like AitM phishing and cloud service abuse to achieve their espionage goals against high-value targets in the West and countries supporting Ukraine. The focus on email and file exfiltration highlights the enduring value of traditional intelligence gathering in the digital age, even as attack methods become more sophisticated.

Defending Against Laundry Bear and Similar Threats

The tactics employed by Laundry Bear/Void Blizzard necessitate robust defense strategies focused on initial access prevention and post-compromise detection and response, particularly within cloud environments. Organizations in targeted sectors, especially those aligned with NATO or supporting Ukraine, should review and strengthen their security postures.

Key defensive measures include:

  • Implementing Strong Multi-Factor Authentication (MFA): MFA, especially phishing-resistant forms like FIDO2 security keys, is critical to defending against credential theft and AitM attacks. Even if a password is compromised, MFA can prevent unauthorized access.
  • Enhancing Security Awareness Training: Educating employees about spear-phishing techniques, including the dangers of clicking links or scanning QR codes from unexpected sources and recognizing typosquatted domains, is vital.
  • Monitoring Cloud Service Activity: Organizations must actively monitor logs and activity within their cloud environments (e.g., Microsoft 365, Azure AD) for suspicious behavior, such as bulk data access, unusual login locations, or the use of reconnaissance tools like AzureHound.
  • Implementing Conditional Access Policies: Configuring policies in Azure AD to restrict access based on user location, device state, or application can help mitigate the impact of compromised credentials.
  • Regular Patching and Updates: While not explicitly mentioned as an exploit vector for Laundry Bear, keeping systems and software updated is a fundamental security practice that protects against various attack methods.
  • Leveraging Threat Intelligence: Staying informed about the latest tactics, techniques, and procedures (TTPs) used by groups like Laundry Bear/Void Blizzard and Fancy Bear allows organizations to proactively adjust their defenses.

The exposure of Laundry Bear serves as a stark reminder that the cyber threat landscape is constantly shifting, with state-sponsored actors adapting their methods to target the most valuable information. The collaboration between national intelligence services and private cybersecurity firms like Microsoft is essential in identifying and publicizing these threats, enabling potential targets to better protect themselves against sophisticated espionage campaigns.

While cybercrime, as a whole, is often cited as being orders of magnitude larger than state-backed operations in terms of sheer volume and financial impact, the strategic and geopolitical implications of state-sponsored espionage, like that conducted by Laundry Bear, remain a critical concern for national security and international stability. The ongoing vigilance and collaboration between governments and the private sector are paramount in countering these persistent threats.