Microsoft Threat Intelligence has identified a sophisticated Russian-affiliated cyber espionage group, dubbed Void Blizzard (also known as LAUNDRY BEAR), actively targeting telecommunications and IT organizations since April 2024. This group has successfully infiltrated critical infrastructure across NATO member states and Ukraine, focusing on government agencies, defense contractors, healthcare systems, and media organizations primarily in Europe and North America.
Void Blizzard’s Strategic Objectives
Void Blizzard’s operations align closely with Russian strategic interests, particularly concerning Ukraine. The group has demonstrated a keen focus on organizations providing military or humanitarian support to Ukraine. Notably, they have compromised Ukrainian aviation entities previously targeted by GRU-linked groups like Seashell Blizzard in 2022.
In September 2024, Void Blizzard executed a sophisticated attack on a Dutch police employee’s account using a pass-the-cookie technique. This method allowed them to exfiltrate the Global Address List (GAL), containing contact information of police personnel. Dutch intelligence services AIVD and MIVD confirmed that the stolen credentials were likely obtained through commodity infostealer ecosystems and criminal marketplaces.
Advanced Attack Techniques and Tooling
Void Blizzard employs a multifaceted approach combining traditional credential theft with evolving spear-phishing campaigns. Their initial access techniques include:
– Password Spraying Attacks: Utilizing compromised credentials to gain unauthorized access.
– Exploitation of Stolen Authentication Tokens: Acquiring tokens from criminal ecosystems to bypass authentication mechanisms.
In April 2025, security researchers observed Void Blizzard implementing adversary-in-the-middle (AitM) phishing campaigns targeting over 20 non-governmental organizations (NGOs) across Europe and the United States. The operation utilized typosquatted domains, such as micsrosoftonline[.]com, to spoof Microsoft Entra authentication portals. Leveraging the open-source Evilginx framework, they harvested credentials by directing victims to malicious PDF attachments containing QR codes that redirected to credential phishing infrastructure.
Post-compromise activities reveal sophisticated data exfiltration capabilities. Void Blizzard abuses legitimate cloud APIs, including Exchange Online and Microsoft Graph, to enumerate mailboxes and automate bulk collection of emails and files. They have also been observed accessing Microsoft Teams conversations through web clients and utilizing tools like AzureHound for Microsoft Entra ID configuration reconnaissance.
Defensive Measures
To counter Void Blizzard’s operations, Microsoft recommends implementing comprehensive identity hardening measures:
– Deploy Sign-In Risk Policies: Utilize Conditional Access evaluations to assess and mitigate sign-in risks.
– Require Multifactor Authentication (MFA): Implement phishing-resistant methods such as FIDO tokens to enhance security.
– Centralize Identity Management: Consolidate identity management platforms to streamline monitoring and response efforts.
By adopting these measures, organizations can bolster their defenses against sophisticated threat actors like Void Blizzard, mitigating the risk of unauthorized access and data exfiltration.
