New Russian Cyber Threat Exposed: Laundry Bear and Void Blizzard
Recent warnings from Dutch intelligence officials and Microsoft have highlighted a concerning new cyber threat actor from Russia, dubbed Laundry Bear by Dutch authorities and Void Blizzard by Microsoft. This group appears to be engaged in a sophisticated espionage campaign targeting Western organizations, particularly within military and high-tech sectors.
Understanding Laundry Bear’s Objectives
Laundry Bear, as outlined in a joint advisory from the Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defense Intelligence and Security Service (MIVD), is not just another hacking group. This actor has reportedly gained access to sensitive information from a broad range of entities worldwide, with a pointed interest in organizations linked to the European Union and NATO member states.
Particularly, Laundry Bear focuses on cloud-based email environments, especially Microsoft Exchange servers. Their methods include extensive email theft, as well as acquiring detailed information about organizational contacts, such as the Global Address List (GAL). In some instances, the group has successfully infiltrated cloud servers to extract various types of files.
Targeting High-Tech and Defense Industries
In 2024, Laundry Bear escalated its efforts, targeting defense contractors, aerospace firms, and other advanced technology companies integral to military production. Their aim? To gather sensitive data regarding procurement and manufacture of military goods by Western governments, particularly concerning arms deliveries to Ukraine.
The advisory reveals that Laundry Bear possesses a notable understanding of the interfaces involved in producing military assets and the dependencies that surround these operations. This in-depth knowledge positions them as a serious threat to the Western defense landscape.
Expanding their Reach: Beyond Military Targets
Laundry Bear is not limited to government and defense sectors; they have also turned their attention toward civilian organizations and businesses that develop advanced technologies, especially those affected by Western sanctions. Targets often include IT and high-tech service providers catering to enterprise and governmental clients, which can encompass critical infrastructure sectors.
According to the Dutch advisory, Laundry Bear boasts a markedly higher success rate compared to other Russian threat actors currently under scrutiny, indicating a refined set of skills and approach.
Attack Techniques Employed by Laundry Bear/Void Blizzard
The methods deployed by this threat actor are alarming. The group frequently employs techniques such as pass-the-cookie attacks, with stolen cookies likely sourced from infostealer malware accessible through cybercriminal marketplaces. Additionally, password spraying tactics allow them to identify weaknesses within organizations’ security frameworks.
Once an account is compromised, Laundry Bear is capable of executing large-scale email data theft. The advisory confirms that the group has pilfered data from compromised SharePoint environments, leveraging known vulnerabilities to extract sensitive login credentials.
Remarkably, Laundry Bear tends to operate discreetly, focusing on exploiting existing access to Microsoft accounts without trying to expand their reach into the underlying networks. This stealthy methodology allows them to evade detection from system administrators over extended periods.
The advisory also marks similarities between Laundry Bear and a known Russian state-sponsored threat actor, APT28; however, they underscore that these are indeed two distinct entities.
Microsoft Highlights Targeting of NGOs
In a detailed report, Microsoft shed light on an adversary-in-the-middle (AitM) spear phishing campaign orchestrated by Laundry Bear that targeted over 20 non-governmental organizations (NGOs) across Europe and the United States. The group utilized a cleverly disguised domain name to spoof the Microsoft Entra authentication portal, sending emails that contained a malicious PDF attachment linked to a fabricated invitation for the European Defense and Security Summit.
The PDF harbored a malicious QR code that redirected users to a credential phishing page imitating the Microsoft Entra portal. Microsoft has assessed that void Blizzard employs the open-source attack framework Evilginx to facilitate this AitM phishing campaign, effectively stealing authentication details, including usernames, passwords, and any server-generated cookies.
Additionally, Microsoft reported that the threat actor accessed Microsoft Teams communications through the web client, further showcasing their ability to infiltrate compromised organizations.
Strategies for Protection Against Laundry Bear/Void Blizzard
In response to this emerging threat, both the Dutch intelligence agencies and Microsoft have shared comprehensive guidelines for organizations seeking to safeguard themselves. These recommendations include:
- Implementing automated responses to risky sign-ins
- Utilizing multi-factor authentication
- Managing identities with centralized single sign-on systems
- Adopting zero-trust principles
- Enforcing cookie expiration and rebinding protocols
- Conducting thorough audits and anomaly detection processes
By following these practices, organizations can enhance their cybersecurity posture and mitigate the risks posed by Laundry Bear and similar threat actors.
