Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to “worldwide cloud abuse.”
Active since at least April 2024, the hacking group is linked to espionage operations mainly targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America.
“They often use stolen sign-in details that they likely buy from online marketplaces to gain access to organizations,” the Microsoft Threat Intelligence team said in a report published today. “Once inside, they steal large amounts of emails and files.”
Attacks mounted by Void Blizzard have been found to disproportionately single out NATO member states and Ukraine, suggesting that the adversary is looking to collect intelligence to further Russian strategic objectives.
Specifically, the threat actor is known to target government organizations and law enforcement agencies in NATO member states and countries that provide direct military or humanitarian support to Ukraine. It’s also said to have staged successful attacks aimed at education, transportation, and defense verticals in Ukraine.
This includes the October 2024 compromise of several user accounts belonging to a Ukrainian aviation organization that had been previously targeted by Seashell Blizzard, a threat actor tied to the Russian General Staff Main Intelligence Directorate (GRU), in 2022.
The attacks are characterized as opportunistic and targeted high-volume efforts that are engineered to breach targets deemed of value to the Russian government. Initial access methods comprise unsophisticated techniques like password spraying and stolen authentication credentials.
In some of the campaigns, the threat actor has utilized stolen credentials likely sourced from commodity information stealer logs available on the cybercrime underground to access Exchange and SharePoint Online and harvest email and files from compromised organizations.
“The threat actor has also in some cases enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant,” Microsoft said.
As recently as last month, the Windows maker said it observed the hacking crew shifting to “more direct methods” to steal passwords, such as sending spear-phishing emails that are engineered to trick victims into parting with their login information by means of an adversary-in-the-middle (AitM) landing pages.
The activity entails the use of a typosquatted domain to impersonate the Microsoft Entra authentication portal to target over 20 NGOs in Europe and the United States. The email messages claimed to be from an organizer from the European Defense and Security Summit and contained a PDF attachment with fake invitations to the summit.
Present wishing the PDF document is a malicious QR code that redirects to an attacker-controlled domain (“micsrosoftonline[.]com”) that hosts a credential phishing page. It’s believed that the phishing page is based on the open-source Evilginx phishing kit.
Post-compromise actions after gaining initial access encompass the abuse of Exchange Online and Microsoft Graph to enumerate users’ mailboxes and cloud-hosted files, and then make use of automation to facilitate bulk data collection. In select instances, the threat actors are also said to have accessed Microsoft Teams conversations and messages via the web client application.
“Many of the compromised organizations overlap with past – or, in some cases, concurrent – targeting by other well-known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard,” Microsoft said. “This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors.”
Void Blizzard Linked to September Breach of Dutch Police Agency
In a separate advisory, the Netherlands Defence Intelligence and Security Service (MIVD) attributed Void Blizzard to a September 23, 2024, breach of a Dutch police employee account via a pass-the-cookie attack, stating work-related contact information of police employees was obtained by the threat actor.
Pass-the-cookie attack refers to a scenario where an attacker uses stolen cookies obtained via information stealer malware to sign in to accounts without having to enter a username and password. It’s currently not known what other information was stolen, although it’s highly likely that other Dutch organisations were also targeted.
“Laundry Bear is looking for information about the purchase and production of military equipment by Western governments and Western supplies of weapons to Ukraine,” said MIVD director, Vice Admiral Peter Reesink, in a statement.
