Full Report
New research from Microsoft identifies Void Blizzard, also tracked as LAUNDRY BEAR, as a Russia-affiliated threat actor engaged... The post Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Void Blizzard
## Attribution & Identity
Russia-affiliated threat actor engaged in cyberespionage. Also tracked as LAUNDRY BEAR. Activity suggests shared espionage and intelligence collection interests with other Russian state actors like Forest Blizzard, Midnight Blizzard, and Secret Blizzard. Associated with Russian strategic interests.
## Activity Summary
Active since at least April (of the preceding year). Engaged in cyberespionage campaigns supporting Russian strategic interests. Observed engaging in targeted spear phishing for credential theft (last month). Identified conducting an Adversary-in-the-Middle (AitM) spear phishing campaign in April targeting NGOs in Europe and the US. Frequently compromises organizations that overlap with targeting by other known Russian state actors.
## Tactics, Techniques & Procedures
- Initial access often gained through using stolen credentials, likely purchased from online marketplaces.
- Evolved initial access to include targeted spear phishing for credential theft (deceptive emails requiring login details).
- Conducted Adversary-in-the-Middle (AitM) spear phishing using a typosquatted domain to spoof Microsoft Entra authentication portals.
- Used a malicious QR code within a deceptive PDF attachment to redirect victims to a credential phishing page.
- Observed using the open-source attack framework **Evilginx** for AitM phishing campaigns to steal authentication data (username, password, and cookies).
- Post-compromise activity involves siphoning off large volumes of emails and sensitive files.
- Global pattern of **cloud service abuse** noted.
## Targeting
- Sectors: Government, defense, transportation, media, NGOs, healthcare, aviation, education, and law enforcement agencies.
- Geography: Europe, North America, NATO member states, and Ukraine.
- Victims: Organizations in NATO countries providing military or humanitarian aid to Ukraine. Specifically targeted a Ukrainian aviation organization previously targeted by Seashell Blizzard. Targeted over 20 NGO sector organizations in Europe and the US in an April campaign.
## Tools & Infrastructure
- Malware families used: Infostealers (implied by data exfiltration goals).
- Infrastructure: **Evilginx** (framework used for AitM phishing). Used a typosquatted domain, `micsrosoftonline[dot]com`, to host the credential phishing page.
## Implications
Void Blizzard poses a significant threat due to the scale and persistence of its activity, particularly against high-value NATO and Ukrainian-aligned targets. Although their TTPs are not considered sophisticated, their consistent execution of well-worn techniques for intelligence gathering highlights the persistent risk from determined, state-sponsored adversaries. Their recent shift to targeted spear phishing indicates an evolution in initial access methods, increasing risk for critical sectors.
## Mitigations
- Implement sign-in risk policies to assess unauthorized access attempts, potentially blocking access or requiring MFA based on risk level.
- Require mandatory Multi-Factor Authentication (MFA), prioritizing phishing-resistant methods over telephony-based MFA.
- Centralize identity management and integrate on-premises directories with cloud environments for better oversight.
- Secure email systems by enabling mailbox auditing to log user and administrator actions.
- Implement rapid response procedures upon detection of malware or infostealers, including immediate credential rotation for affected accounts and malware removal.