New research from Microsoft identifies Void Blizzard, also tracked as LAUNDRY BEAR, as a Russia-affiliated threat actor engaged in cyberespionage campaigns that support Russian strategic interests. Active since at least last April, the hacker group has been observed targeting critical sectors including government, defense, transportation, media, NGOs, and healthcare, with a primary focus on organizations in Europe, North America, NATO member states, and Ukraine.

Void Blizzard frequently gains access by using stolen credentials, likely purchased from online marketplaces. Once inside, they siphon off large volumes of emails and sensitive files. Microsoft has also uncovered a global pattern of cloud service abuse linked to the group, further underscoring its operational reach.

Although Void Blizzard’s tactics are not especially sophisticated, the scale and persistence of their activity, especially against NATO and Ukrainian-aligned targets, highlight the ongoing risk posed by determined adversaries using well-worn techniques to gather valuable intelligence.

Last month, the researchers observed Void Blizzard evolving its initial access techniques to include targeted spear phishing aimed at credential theft, marking a shift toward more direct methods of compromising victims, such as deceptive emails crafted to trick individuals into revealing their login details. While Void Blizzard’s tactics are not unusual among advanced persistent threat groups, including those backed by the Russian state, the effectiveness of their campaigns highlights a critical reality. Even relatively basic techniques can pose a serious threat when executed persistently by motivated actors intent on stealing sensitive information.

“Void Blizzard primarily targets NATO member states and Ukraine. Many of the compromised organizations overlap with past—or, in some cases, concurrent—targeting by other well-known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard,” the Microsoft Threat Intelligence team wrote in a Tuesday blog post. “This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors.”

Since mid-2024, Microsoft Threat Intelligence has observed government institutions and law enforcement agencies remain frequent targets, particularly those in NATO countries providing military or humanitarian aid to Ukraine. Within Ukraine itself, Void Blizzard has breached organizations across several sectors, including defense, education, and transportation.

“In October 2024, Void Blizzard compromised several user accounts at a Ukrainian aviation organization that had been previously targeted by Russian General Staff Main Intelligence Directorate (GRU) actor Seashell Blizzard in 2022,” the post mentioned. “This targeting overlap reflects Russia’s long-standing interest in this organization and, more broadly, in aviation-related organizations since Russia’s invasion of Ukraine in 2022. In 2023, another GRU actor, Forest Blizzard, targeted a prominent aviation organization in Ukraine, and since at least August 2024, it has conducted increasing password spray attacks against several NATO member states’ air traffic control providers.”

In April, Microsoft identified a Void Blizzard adversary-in-the-middle (AitM) spear phishing campaign that targeted over 20 NGO sector organizations in Europe and the United States. “The threat actor used a typosquatted domain to spoof the Microsoft Entra authentication portal. Use of a typosquatted domain to spoof Microsoft Entra authentication was a newly observed initial access tactic for this threat actor. This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors.”

The researchers noted that in the campaign, the Void Blizzard hackers impersonated an organizer from the European Defense and Security Summit, sending emails with a PDF attachment that enticed recipients with a fraudulent invitation to the Summit.

“The attachment contained a malicious QR code that redirected to Void Blizzard infrastructure micsrosoftonline[dot]com, which hosts a credential phishing page spoofing the Microsoft Entra authentication page,” they added. “We assess that Void Blizzard is using the open-source attack framework Evilginx to conduct the AitM phishing campaign and steal authentication data, including the input username and password and any cookies generated by the server. Evilginx, publicly released in 2017, was the first widely available phishing kit with AitM capabilities.”

Despite the lack of sophistication in their initial access methods, Void Blizzard has been effective in gaining access to and collecting information from compromised organizations in critical sectors.

“After gaining initial access, Void Blizzard abuses legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate users’ mailboxes, including any shared mailboxes, and cloud-hosted files,” the post added. “Once accounts are successfully compromised, the actor likely automates the bulk collection of cloud-hosted data (primarily email and files) and any mailboxes or file shares that the compromised user can access, which can include mailboxes and folders belonging to other users who have granted other users read permissions.”

They also highlighted that in a small number of Void Blizzard compromises, Microsoft Threat Intelligence has also observed the threat actor accessing Microsoft Teams conversations and messages via the Microsoft Teams web client application. The hacker has also, in some cases, enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant.

Microsoft Threat Intelligence called upon high-risk organizations, especially in government and defense, to enhance identity and authentication by implementing sign-in risk policies to assess unauthorized access attempts. These policies can trigger automatic responses, such as blocking access or requiring multi-factor authentication, based on the assessed risk level. High-risk users should have their access revoked and be required to re-authenticate. Regular monitoring through Risky Sign-In reports can help detect suspicious access patterns.

Multi-factor authentication should be mandatory. Although some attackers attempt to bypass MFA, it remains one of the most effective defenses. Organizations are also advised to adopt phishing-resistant authentication methods and avoid telephony-based MFA, which is vulnerable to SIM-jacking. Centralizing identity management into a single platform improves oversight and security. Hybrid organizations should integrate on-premises directories with cloud environments.

The Microsoft post on the Void Blizzard hackers also urged email systems to be secured by enabling mailbox auditing, which logs actions taken by users, delegates, and administrators. To guard against post-compromise activity, organizations must act quickly if malware or infostealers are detected. This includes rotating credentials for any potentially affected accounts and removing the malware itself. Given the prevalence of infostealers, immediate response is critical.

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint cybersecurity advisory exposing a Russian state-sponsored cyber espionage campaign. The operation, attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center military Unit 26165, has been targeting technology and logistics companies, including those supporting the transport and delivery of foreign aid to Ukraine, for more than two years.

‍

Source: https://industrialcyber.co/ransomware/microsoft-details-void-blizzard-as-russian-cyber-threat-targeting-global-critical-infrastructure/