Full Report
Laundry Bear, a group recently identified by Dutch intelligence and security services, stole work-related contact details on the Netherlands’ national police force in September 2024, Microsoft researchers said. The post New Russian state-sponsored APT quickly gains global reach, hitting expansive targets appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Laundry Bear (Void Blizzard)
## Attribution & Identity
* **Identification:** Russian state-sponsored Advanced Persistent Threat (APT) group.
* **Aliases:** Microsoft tracks this group as **Void Blizzard**.
* **Associated Groups:** Identified by Dutch intelligence and security services.
## Activity Summary
Laundry Bear/Void Blizzard is engaged in a global espionage campaign supporting Moscow's interests, primarily targeting NATO member states and Ukraine since at least mid-2024. A significant, notable recent activity involved infiltrating the Netherlands’ national police force systems in September 2024, where they stole work-related contact details of police staff. The group consistently targets government organizations and critical infrastructure providers to gather sensitive foreign policy and defense-related information.
## Tactics, Techniques & Procedures
The group's initial access methods are described as lacking sophistication, yet they achieve widespread success.
- **Initial Access:** Use of stolen credentials (likely procured from commodity infostealer ecosystems); likely leveraging these for password spray attacks.
- **Persistence/Action on Objectives:** Gaining initial access to Microsoft Exchange and SharePoint Online.
- **Collection:** Abusing legitimate cloud APIs to sift through mailboxes and cloud-hosted files. Accessing Microsoft Teams conversations and messages. Cataloging Microsoft Entra ID configurations.
- **Exfiltration:** Automating the bulk theft of cloud-hosted data.
- **General Assessment:** While TTPs are "not unique," their determined execution leads to widespread success.
## Targeting
- **Sectors:** Government agencies, defense suppliers, critical infrastructure providers, communications, IT, health care, education, media, and transportation.
- **Geography:** NATO member states and Ukraine primarily, with global reach.
- **Victims:** Specific mention of the **Netherlands’ national police force**.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but reliance on credential theft and cloud API abuse is highlighted.
- **Infrastructure (C2, domains, IPs):** No specific C2 infrastructure details (IPs or URLs) were mentioned in the provided text.
## Implications
The group poses an enduring espionage threat, particularly against Western governments and defense entities supporting Ukraine. Their ability to achieve high-level access using ostensibly unsophisticated TTPs (like stolen commodity credentials) suggests effective exploitation of widely used security gaps in cloud and identity management systems. The objective is intelligence gathering related to Western military support for Ukraine.
## Mitigations
- Focus on hardening credential security, as the actor relies heavily on credentials procured from criminal ecosystems.
- Monitoring and controlling the abuse of legitimate cloud APIs within Exchange, SharePoint Online, and Microsoft Entra ID for bulk data collection or configuration mapping.