A previously unknown team of Russian government-backed hackers is targeting critical infrastructure organizations in multiple sectors to collect intelligence for Moscow, Microsoft and the Dutch government said in separate reports published Tuesday.
The group, which Microsoft calls Void Blizzard and the Dutch intelligence services call Laundry Bear, has been using stolen credentials and automated bulk-email collection from cloud services to scoop up data on NATO member states and Ukraine.
“Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America,” Microsoft said in a blog post.
Two Dutch intelligence services, the AIVD and the MIVD, said in a statement that the hacker team had breached several Dutch government agencies including the national police force, from which it has stolen employee contact information.
Laundry Bear has targeted defense contractors, aerospace companies, and other firms that produce military equipment, likely to “obtain sensitive information relating to the procurement and production of military goods by Western governments, and weapons deliveries to Ukraine from Western countries,” the Dutch government said. The intelligence agencies said the threat group appears to have inside information about the supply chain dependencies of the companies manufacturing weapons for Ukraine.
Microsoft has seen the group targeting an even wider range of firms, including in the communications, healthcare, education, media, nonprofit and transportation sectors. In October, the hackers breached “a Ukrainian aviation organization” that other Russian operatives had previously tried to penetrate, according to Microsoft.
Living off the land
The new disclosures further highlight Moscow’s intense focus on disrupting Ukrainian supply logistics. Last week, the U.S. and 10 of its allies warned that Russia’s infamous Fancy Bear unit was also trying to disrupt the flow of weapons to Kyiv. Russia has intensified its cyber operations since expanding its ground invasion of Ukraine in February 2022.
Laundry Bear “has successfully managed to fly below the radar by employing simple attack methods and attack vectors involving tools which are readily available on victims’ computers,” the Dutch government said, adding that the hackers have been “difficult for organisations to detect and distinguish from other known Russian threat actors.”
So-called living-off-the-land techniques have given the attackers extensive access to organizations’ files. According to Microsoft, the group “abuses legitimate cloud APIs” to list and exfiltrate data from any mailboxes available to the compromised user, which sometimes includes “mailboxes and folders belonging to other users who have granted other users read permissions.”
Laundry Bear’s tactics have been evolving, Microsoft said. In April, the group started crafting unique spear-phishing messages to steal targets’ passwords. And in “a small number” of intrusions, the company said, the attackers accessed Teams chat messages and meetings.
While disrupting Ukraine’s military supply lines appears to be Laundry Bear’s primary objective, it has other missions as well. The Dutch government said the hackers have targeted companies producing technologies that are currently off limits to Russia due to international sanctions, although the officials added that “it is not possible to say with certainty what the exact goals of these espionage attacks might be.”
Microsoft recommends that organizations use multifactor authentication, risk-based sign-in policies, consolidated identity management systems, least-privilege account access principles and regular email activity-logging, which it says are effective defense techniques for blocking and detecting threat actors like Laundry Bear.
John Hultquist, the chief analyst at Google's Threat Intelligence Group, said it was notable that even Russia's most important operations relied on commonplace attack techniques.
"This is another reminder that the criminal ecosystem is a powerful force multiplier for Russian cyber espionage actors. They routinely make use of the accesses that are developed through the normal course of criminal activity," Hultquist told Cybersecurity Dive via email.
Editor’s note: This story has been updated to include comments provided by Google.
