Microsoft Threat Intelligence has identified a Russian-linked cyberespionage group named Void Blizzard, also known as LAUNDRY BEAR. The group has been targeting telecommunications and IT organizations since April 2024.
The hackers have compromised critical infrastructure across NATO countries and Ukraine. Their targets include government agencies, defense contractors, healthcare systems, and media organizations in Europe and North America.
Focused Attacks on Strategic Targets
Microsoft believes with high confidence that Void Blizzard operates in support of Russia’s strategic interests. The group has shown particular interest in organizations aiding Ukraine, especially those involved in military or humanitarian efforts.
In one incident, Void Blizzard breached Ukrainian aviation firms that were previously targeted by the GRU-linked Seashell Blizzard in 2022.
Notable Cyber Incidents
In September 2024, the group gained access to a Dutch police employee’s account using a pass-the-cookie attack. They stole the Global Address List (GAL), which included internal police contact details.
The Netherlands’ intelligence agencies, AIVD and MIVD, reported that the stolen credentials likely came from criminal marketplaces and infostealer malware.
Advanced Techniques and Tools
Void Blizzard uses a combination of credential theft and spear-phishing tactics. Their initial access methods include password spraying and using stolen authentication tokens.
Microsoft’s analysis identified these techniques using the MITRE ATT&CK framework:
- T1078 (Valid Accounts)
- T1110.003 (Password Spraying)
- T1539 (Steal Web Session Cookie)
In April 2025, researchers discovered that Void Blizzard targeted over 20 NGOs in Europe and the U.S. through adversary-in-the-middle (AitM) phishing attacks. They used fake domains like “micsrosoftonline[.]com” to mimic Microsoft login pages and harvest credentials using the open-source Evilginx tool.
The phishing emails included PDFs with QR codes, which redirected users to malicious websites for credential capture.
Post-Compromise Activities
After breaching systems, Void Blizzard exfiltrates data using legitimate cloud APIs like Exchange Online and Microsoft Graph. They collect large volumes of emails and files and even access Microsoft Teams chats.
The group also uses the AzureHound tool for reconnaissance of Microsoft Entra ID settings. They rely on techniques such as T1087 (Account Discovery) and T1114.002 (Remote Email Collection).
Microsoft’s Recommended Defenses
To defend against Void Blizzard, Microsoft urges organizations to improve identity security. Key measures include:
- Enabling Conditional Access with sign-in risk policies
- Requiring phishing-resistant multifactor authentication, such as FIDO tokens
- Centralizing identity management systems
Security teams should monitor Microsoft Defender XDR for alerts related to “Void Blizzard activity,” “Information stealing malware activity,” and “Password spraying.”
Threat hunters should also scan for traffic to suspicious domains like “micsrosoftonline.com” and “ebsumrnit.eu.”
Global Cooperation Ongoing
Microsoft is working with Dutch intelligence and the FBI to investigate and disrupt Void Blizzard’s operations. This collaboration highlights the global nature of the threat and the urgent need to protect critical infrastructure from state-sponsored cyberattacks.
