The Microsoft Threat Intelligence Center (MSTIC) has uncovered a cloud abuse campaign attributed to a Russian-affiliated cyber threat group known as Void Blizzard. Dutch intelligence tracks this group as Laundry Bear. The agency said that this threat actor was behind attacks last year on the networks of the Dutch police, NATO and several European countries.
Active since at least April 2024, Void Blizzard engages in targeted cyberespionage, with a clear strategic focus on NATO member states and Ukraine. The operations are believed to be part of a broader effort to collect intelligence supporting Russian state interests, particularly in sectors critical to national security and infrastructure.
The targets include organizations in transportation and aviation sectors, media and NGOs, healthcare, education, and IT, law enforcement and intergovernmental organizations.
The group's actions frequently overlap with other Russian-affiliated groups, such as Forest Blizzard, Midnight Blizzard, Secret Blizzard, and Seashell Blizzard.
In October 2024, Void Blizzard compromised a Ukrainian aviation organization, a target also previously attacked by Seashell Blizzard in 2022. Starting August 2024, the group escalated attacks on NATO air traffic control systems, often via password spray campaigns. Microsoft observed increased Void Blizzard activity across communications and telecommunications sectors, often resulting in successful intrusions.
According to the threat intelligence team, Void Blizzard demonstrates limited technical sophistication, however, its attack techniques are effective. The threat actor achieves initial access by using credential-based attacks (e.g., password spraying), stolen credentials purchased via criminal infostealer marketplaces, and spear phishing with adversary-in-the-middle (AitM) tactics.
After gaining initial access, the group abuses legitimate Microsoft cloud APIs (e.g., Exchange Online, Microsoft Graph) to exfiltrate emails, including from shared mailboxes and cloud-hosted files. In some incidents, Void Blizzard accessed Microsoft Teams data through the web client
Use of tools like AzureHound to enumerate Entra ID configurations, gathering intelligence on roles, groups, and users within a tenant.
“In a small number of Void Blizzard compromises, Microsoft Threat Intelligence has also observed the threat actor accessing Microsoft Teams conversations and messages via the Microsoft Teams web client application,” Microsoft noted in the report. “The threat actor has also in some cases enumerated the compromised organization’s Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant.”
