Microsoft Threat Intelligence has unveiled a sophisticated Russian-affiliated cyberespionage group dubbed “Void Blizzard” (also known as LAUNDRY BEAR) that has been conducting widespread attacks against telecommunications and IT organizations since April 2024.
The threat actor has successfully compromised critical infrastructure across NATO member states and Ukraine, with operations spanning government agencies, defense contractors, healthcare systems, and media organizations primarily in Europe and North America.
Void Blizzard Hackers Target Critical Infrastructure
Void Blizzard represents a significant escalation in Russian cyber operations, with Microsoft assessing “with high confidence” that the group operates in alignment with Russian strategic objectives.
.png
)
The threat actor has demonstrated particular focus on organizations providing military or humanitarian support to Ukraine, including successful compromises of Ukrainian aviation entities that were previously targeted by GRU-linked Seashell Blizzard in 2022.
The group’s targeting methodology reveals sophisticated intelligence collection priorities.
In September 2024, Void Blizzard compromised a Dutch police employee’s account through a pass-the-cookie attack, successfully exfiltrating the Global Address List (GAL) containing work-related contact information of police personnel.
Dutch intelligence services AIVD and MIVD confirmed that the stolen credentials were likely procured through commodity infostealer ecosystems and criminal marketplaces.
Advanced Attack Techniques and Tooling
Void Blizzard employs a multi-vector approach combining traditional credential theft with evolving spear-phishing campaigns.
The group’s initial access techniques include password spraying attacks using compromised credentials and exploiting stolen authentication tokens procured from criminal ecosystems.
Microsoft identified technique IDs including T1078 (Valid Accounts), T1110.003 (Password Spraying), and T1539 (Steal Web Session Cookie) in their MITRE ATT&CK framework analysis.
In April 2025, security researchers observed Void Blizzard implementing adversary-in-the-middle (AitM) phishing campaigns targeting over 20 NGO organizations across Europe and the United States.
The operation utilized typosquatted domains such as “micsrosoftonline[.]com” to spoof Microsoft Entra authentication portals, leveraging the open-source Evilginx framework for credential harvesting.
The attack vector included malicious PDF attachments containing QR codes that redirected victims to a credential phishing infrastructure.
Post-compromise activities demonstrate sophisticated data exfiltration capabilities. Void Blizzard abuses legitimate cloud APIs, including Exchange Online and Microsoft Graph, to enumerate mailboxes and automate bulk collection of emails and files.
The group has been observed accessing Microsoft Teams conversations through web clients and utilizing the publicly available AzureHound tool for Microsoft Entra ID configuration reconnaissance, employing technique T1087 (Account Discovery) and T1114.002 (Remote Email Collection).
Defensive Measures
Microsoft recommends implementing comprehensive identity hardening measures to counter Void Blizzard operations.
Critical defenses include deploying sign-in risk policies with Conditional Access evaluation, requiring multifactor authentication with phishing-resistant methods such as FIDO tokens, and centralizing identity management platforms.
Organizations should monitor for specific Microsoft Defender XDR detection alerts, including “Void Blizzard activity,” “Information stealing malware activity,” and “Password spraying” indicators.
Threat hunting queries targeting communication with domains like “micsrosoftonline.com” and “ebsumrnit.eu” can help identify potential compromise.
The collaboration between Microsoft, Dutch intelligence services, and the FBI underscores the international scope of this threat, with ongoing efforts to disrupt Void Blizzard’s operations and protect critical infrastructure from Russian state-sponsored cyberespionage activities.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
