The modus operandi of the Russian Void Blizzard has been revealed by Microsoft. With the help of various intelligence services, this group has been exposed in detail. After a year of attacks on critical infrastructure in various European countries, there is hope for improvement thanks to this exposure.
Ukraine and NATO countries are the main targets for Void Blizzard, as Microsoft calls the group. Authorities in the Netherlands and the US have named the collective Laundry Bear, on the other hand. The group mainly targets critical infrastructure for espionage purposes. That is the conclusion of Microsoft’s Threat Intelligence group, which has also detected a change in behavior since April. For example, the hacker group began using more direct methods for their attacks, such as stealing passwords via phishing emails.
The Dutch intelligence agencies AIVD and MIVD, as well as the FBI, collaborated with Microsoft’s team. The Dutch connection is not coincidental: many of the targets were located in the Netherlands. Among others, the local police agency was hit in September 2024, as reported by the AIVD in its own press release. However, Void Blizzard/Laundry Bear’s ambitions go beyond disrupting critical services in the Netherlands, with targets in healthcare, telecommunications, media, transportation, and more in various NATO countries and Ukraine. The common thread is that the group seems to select targets that align with Russia’s interests. In a fairly general sense, disrupting the normal course of business in NATO countries and Ukraine is already a priority for the government in Moscow.
Broad range of attacks
Microsoft concludes that with these attacks, Void Blizzard is “likely collecting intelligence to help support Russian strategic objectives.” The hacker group mainly uses stolen login credentials, which it probably buys on criminal marketplaces. This method allows the group to gain access to organizations on a large scale. Once inside, they steal large amounts of emails and files.
In April of this year, Microsoft observed a significant escalation. The group began carrying out targeted spear phishing attacks, sending out fake invitations to the European Defense and Security Summit. An attached PDF contained a QR code that directed victims to a fake Microsoft Entra login page.
Dutch connection
The cooperation with Dutch services is no coincidence. Russian cyber activities are increasingly targeting Western countries that support Ukraine. Due to its strategic position and transit ports, the Netherlands is a particularly attractive target for Russian espionage operations.
Microsoft emphasizes that Void Blizzard has overlapping targets with other known Russian groups such as Forest Blizzard, Midnight Blizzard, and Secret Blizzard. This suggests shared espionage interests within the Russian intelligence services.
Simple but effective methods
Although Void Blizzard does not use advanced techniques, they are remarkably successful. The group uses password spraying and abuses legitimate cloud APIs from services such as Exchange Online and Microsoft Graph. “Despite the lack of sophistication in their access methods, Void Blizzard has proven effective in gaining access to organizations in critical sectors,” Microsoft said.
The attackers largely automate the collection of cloud data. They can access shared mailboxes and files belonging to multiple users within a compromised organization. In some cases, they have also intercepted Microsoft Teams conversations and messages via the web client.
Protection and detection
Microsoft advises organizations to take several measures. Multi-factor authentication (MFA) remains essential, although certain attacks attempt to circumvent it. Phishing-resistant authentication methods such as FIDO tokens are recommended over phone-based MFA.
Keeping identity management in order is also very important. Otherwise, it is impossible to rule out that an account has been taken over. This makes it possible to better monitor suspicious login activity. The increasing number of offensive cyber programs worldwide makes such precautions increasingly important.
For organizations that suspect they have been compromised, Microsoft recommends that all accounts that may have been compromised be given new credentials and that suspicious activity be checked via Microsoft Graph API. Microsoft Defender XDR detection rules can help identify Void Blizzard activity.
Also read: An insight into Russian ‘mature’ and ‘complex’ hacker groups