New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police

A new cyberespionage group linked to the Russian government has been targeting organizations from a variety of sectors for over a year. Dubbed Void Blizzard by Microsoft Threat Intelligence and Laundry Bear by Dutch intelligence services, the group leverages compromised credentials to access mailboxes and steal large amounts of emails and data from internal networks.

“While Void Blizzard has a global reach, their cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives,” Microsoft Threat Intelligence researchers wrote in a report on their observations of the group. “In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general.”

The sectors targeted by this group include communications, telecommunications, defense, healthcare, education, government agencies and services, information technology, intergovernmental organizations, media, NGOs, and transportation.

Microsoft collaborated with the Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD), which issued  a separate advisory on the group. The Dutch services investigated Void Blizzard after it successfully compromised the Dutch police in September 2024.

The group’s targets overlap with other known Russian state-run cyberespionage groups, including APT28 aka Fancy Bear, APT29 aka Cozy Bear, and Turla aka Venomous Bear, which Microsoft calls Forest Blizzard, Midnight Blizzard, and Secret Blizzard, respectively. Compared to these groups, however, Void Blizzard appears to be using less sophisticated techniques to gain initial access.

Password spraying and infostealer data dumps

Up until last month, Void Blizzard relied mostly on password spraying, a technique that involves brute-force password guessing attacks using lists of common or leaked passwords from other data breaches. The group has also been buying passwords, as well as session cookies, from underground cybercriminal markets, particularly so-called logs obtained from infostealer malware — a growing threat of late.

The group uses these credentials to access Microsoft Exchange and sometimes SharePoint Online servers. In the attack against the Dutch police, the group compromised the account of a police employee using a session cookie stolen through an infostealer infection.

Session cookies are text files with unique values set by websites inside browsers to remember authenticated user sessions for a length of time. Attackers can steal these files from computers and put them inside their own browsers in attacks known as pass-the-cookie that give them access to those accounts without logging in with a password.

“After being successfully authenticated and obtaining access to an account, Laundry Bear approaches victims through Microsoft Exchange Web Services (EWS) and Outlook Web Access (OWA) in an attempt to run certain actions on victim networks,” the Dutch intelligence services wrote in a joint advisory. “The Dutch services consider it highly probable that Laundry Bear first tries to download the GAL [Global Address List]. Information from the GAL is then used for password spraying attacks to gain access to other accounts. Investigation has revealed that the threat actor is specifically interested in mail accounts that manage other accounts (delegated access).”

The group doesn’t appear to have its own custom malware program and instead relies heavily on living-off-the-land (LOTL) tactics, which involve using administrative tools and frameworks that already exist on compromised computers to achieve their goals.

While some of the group’s attacks appear opportunistic, targeting a wide range of public and private sector organizations, there is a clear focus on entities relevant to Russia’s war efforts in Ukraine. This includes the defense ministries of NATO member countries, their ambassadors and foreign affairs ministries, their armed forces, and defense contractors.

Switch to spear phishing

In recent months the group seems to have pivoted from password spraying to targeted spear phishing attacks that direct users to fake Microsoft Entra login pages using adversary-in-the-middle (AitM) techniques. Such a campaign led to the compromise of 20 NGOs in April.

In its campaign against NGOs, Void Blizzard sent emails masquerading as official invitations to the European Defense and Security Summit that will take place next month in Brussels. The emails contained a PDF attachment designed to look like an invitation with a QR code that directed victims to a typosquatted domain name called micsrosoftonline[.]com.

“We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including the input username and password and any cookies generated by the server,” Microsoft researchers wrote in their report. “Evilginx, publicly released in 2017, was the first widely available phishing kit with AitM capabilities.”

Following successful access, the hackers leverage legitimate Microsoft cloud APIs such as those from Exchange Online and Microsoft Graph to enumerate user mailboxes and cloud-hosted files. The attackers will download any shared files and folders they have access to and in some cases have also accessed Microsoft Teams conversations and messages through the Teams web application.

The AzureHound open-source tool has also been used to collect information about the victim’s Microsoft Entra ID configuration, including information on users, roles, groups, applications, and devices belonging to an Entra tenant.

Mitigation

Microsoft has released several threat hunting queries for Microsoft XDR and Azure Sentinel. However, the company also advises using the Conditional Access policies to implement sign-in risk detections that can trigger automatic access blocks or multi-factor authentication requests.

“Leverage phishing-resistant authentication methods such as FIDO Tokens, or Microsoft Authenticator with passkey,” the company advised. “Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.”

Centralizing identity management in a single platform for both cloud and on-premises environments and logging the data to a SIEM can help organizations analyze and detect suspicious activity. Implementing proper credential hygiene and principles of least privilege are also very important.