Full Report
Microsoft has shed light on a previously undocumented cluster of threat activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to "worldwide cloud abuse." Active since at least April 2024, the hacking group is linked to espionage operations mainly targeting organizations that are important to Russian government objectives,
Analysis Summary
# Threat Actor: Void Blizzard
## Attribution & Identity
* **Attribution:** Russia-affiliated threat actor.
* **Known Aliases:** Laundry Bear.
* **Associated Groups:** Overlap in targeting with other Russian state actors including Forest Blizzard, Midnight Blizzard, and Secret Blizzard, suggesting shared espionage objectives assigned to parent organizations.
## Activity Summary
Void Blizzard is a previously undocumented cluster of threat activity attributed to worldwide cloud abuse, active since at least April 2024. The group focuses on espionage operations aimed at collecting intelligence furthering Russian strategic objectives. They employ high-volume, opportunistic attacks targeting organizations critical to Russian government interests. A notable historical activity includes the October 2024 compromise of several user accounts belonging to a Ukrainian aviation organization previously targeted by Seashell Blizzard in 2022.
## Tactics, Techniques & Procedures
- **Initial Access:** Utilizing stolen sign-in details likely purchased from online marketplaces.
- **Initial Access:** Password spraying.
- **Initial Access:** Spear-phishing engineered to trick victims into providing credentials via Adversary-in-the-Middle (AitM) landing pages using typosquatted domains to impersonate Microsoft Entra authentication.
- **Discovery/Enumeration:** Enumerated Microsoft Entra ID configuration using the public tool **AzureHound** to gather information on users, roles, groups, applications, and devices within a tenant.
- **Collection/Exfiltration:** Abuse of Exchange Online and Microsoft Graph to enumerate mailboxes and cloud-hosted files, followed by automation for bulk data collection.
- **Post-Compromise:** Accessing Microsoft Teams conversations and messages via the web client application.
## Targeting
- **Sectors:** Government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors. Education vertical also targeted in Ukraine.
- **Geography:** Europe and North America. Disproportionately targets NATO member states and Ukraine.
- **Victims:** Government organizations, law enforcement agencies in NATO states, organizations providing military/humanitarian support to Ukraine, and over 20 NGOs in Europe and the United States (in recent phishing campaigns). A specific mention is a Ukrainian aviation organization.
## Tools & Infrastructure
- **Malware Families Used:** Utilized phishing pages believed to be based on the open-source **Evilginx** phishing kit.
- **Infrastructure (C2, domains, IPs):** Used a typosquatted domain (`micsrosoftonline[.]com`) hosting a credential phishing page.
## Implications
Void Blizzard represents an active, Russia-affiliated cyber espionage threat primarily focused on exploiting cloud environments (Microsoft 365) using stolen credentials and sophisticated phishing lures (AitM/Evilginx). Their targeting patterns strongly align with Russian strategic intelligence collection goals, particularly regarding NATO and support for Ukraine. The overlap with other known Russian groups suggests a coordinated, multi-faceted intelligence campaign.
## Mitigations
- Enhance monitoring for bulk enumeration of Microsoft 365 resources (Exchange Online/Graph API abuse).
- Implement robust monitoring and alerting for the use of tools like AzureHound against Microsoft Entra ID configurations.
- Implement multi-factor authentication, especially mitigating AitM attacks (e.g., using FIDO2-based authentication which is resistant to phishing).
- Be cognizant of phishing attempts mimicking Microsoft services, specifically those delivered with malicious QR codes or linking to typosquatted domains.
- Review security posture around commodity credential markets for signs of compromise.