Microsoft and the Dutch government expose a new Russian hacking organization
A newly identified cyber threat actor, known as Void Blizzard or Laundry Bear, has been actively operating since at least April 2024. This group has been making waves in the cybersecurity world due to its industrial-scale espionage activities reminiscent of the Cold War era.
The primary focus of Void Blizzard's operations is on critical infrastructure organizations across various sectors, including government, telecommunications, media, finance, and transportation. The group is reported to have exploited zero-day vulnerabilities, such as those found in the Ivanti Cloud Service Appliance in September 2024, to gain initial access to high-value targets in these sectors.
Once inside, Void Blizzard operators deploy sophisticated tools, including backdoors, PHP webshells, and even kernel-space rootkits, to maintain persistence and facilitate data exfiltration. The group's infrastructure leverages a combination of commercial VPN services, Tor exit nodes, and virtual private servers (VPS), indicating a blend of commonly available services and customized malware tooling.
The group's activities have raised concerns as they have been collecting intelligence for Moscow, focusing on NATO member states and Ukraine. The exact goals of these espionage attacks are not certain, but it is believed that the hackers have targets that produce technologies currently off-limits to Russia due to international sanctions.
Microsoft has recommended several effective defense techniques against threat actors like Laundry Bear. These include the use of multifactor authentication, risk-based sign-in policies, consolidated identity management systems, least-privilege account access principles, and regular email activity-logging.
In October, the group breached an Ukrainian aviation organization, and they have also been reported to have breached several Dutch government agencies, including the national police force, and stolen employee contact information. In April, Laundry Bear started crafting unique spear-phishing messages to steal targets' passwords.
The group has been able to fly below the radar by employing simple attack methods and attack vectors involving tools which are readily available on victims' computers. They have also been observed abusing legitimate cloud APIs to list and exfiltrate data from mailboxes available to the compromised user, sometimes including data from other users with granted read permissions.
This group represents a significant threat to critical infrastructure, employing advanced tactics to infiltrate and persist within pivotal organizations in Western countries. As the threat landscape continues to evolve, it is crucial for organizations to stay vigilant and implement robust cybersecurity measures to protect against such threats.
| Attribute | Details | |-------------------------|----------------------------------------------------------------------------------| | **Aliases** | Void Blizzard, Laundry Bear | | **Origin** | Russia | | **Activity Period** | Active since at least April 2024 | | **Targets** | Western states’ critical infrastructure: government, telecommunications, media, finance, transport | | **Techniques** | Exploiting zero-day vulnerabilities, deploying PHP webshells, kernel-space rootkits, using commercial VPN and Tor for infrastructure | | **Motivations** | Intelligence gathering on an industrial scale, data exfiltration, cryptomining |
- The threat intelligence community is tracking a group known as Void Blizzard or Laundry Bear, which has been actively operating since at least April 2024.
- This newly identified cyber threat actor has been involved in industrial-scale espionage activities, reminiscent of the Cold War era, targeting critical infrastructure organizations across sectors like government, telecommunications, media, finance, and transportation.
- Microsoft has recommended defensive techniques against threat actors like Laundry Bear, including the use of multifactor authentication, risk-based sign-in policies, consolidated identity management systems, least-privilege account access principles, and regular email activity-logging.
- In October, Laundry Bear breached an Ukrainian aviation organization and has also been reported to have breached several Dutch government agencies, including the national police force, and stolen employee contact information.
- This group, believed to be operating from Russia, has been collecting intelligence for Moscow, focusing on NATO member states and Ukraine, possibly targeting technologies currently off-limits to Russia due to international sanctions.
