Today, Dutch intelligence (AIVD and MIVD) and Microsoft have published two reports unveiling a potential new Russian threat actor: Laundry Bear, or Void Blizzard. This actor was discovered through a recent compromise of the Dutch Police, and it has been targeting Western organizations since at least 2024, including armed forces, government organizations and defense contractors, among others. Although Dutch intelligence highlight that a complete picture of this threat actor and their activities has not yet been formed, they publish their report to raise awareness among allies (well done!).
Laundry Bear does not perform cyberspace attack operations, but only cyberspace exploitation ones. Namely, cyber espionage. And it performs its espionage activities abusing cloud e-mail environments, particularly Exchange servers through compromised user accounts, not elevating privileges. Simplifying, Laundry Bear gets a valid account, for example from a black market, and uses it to steal e-mails and some files.
Geographical targets of Laundry Bear include “the West”: European Union and NATO countries. Other targeted regions are East and Central Asia, although they seem residual. Among EU and NATO countries, Laundry Bear focuses on targets relevant to Russia’s war efforts in Ukraine, particularly on the defense sector: Ministries of Defense, Ministries of Foreign Affairs, defense contractors, etc. Laundry Bear is interested in military production, and according to Dutch intelligence, it appears to have some degree of knowledge about the production and delivery of military goods and the corresponding dependencies.
Beyond the military, Laundry Bear has also targeted civilian organizations and businesses, particularly high-tech sectors (which could be related to the government and the military). The group also targets critical infrastructures, non-governmental organizations, political parties, media, healthcare or educational entities among others, always with espionage goals.
Laundry Bear’s operations are quick, and they are almost certainly performed through some level of automation, efficiently organized and with a high number of successful compromises. As every threat actor, to perform these operations, Laundry Bear develops a set of tactics and techniques. The associated techniques are simple ones. Laundry Bear does not use custom malware, and of course no zero-day exploits. It uses Living-off-the-Land techniques, including password spraying (abusing stolen credentials published online following data breaches). Once access is granted, Laundry Bear downloads information without elevating privileges, including the Microsoft Exchange GAL Global Address List (GAL). The GAL allows the threat actor to move laterally gaining access to other accounts through password spraying. In addition to e-mail gathering, Laundry Bear can exploit known vulnerabilities in Sharepoint servers to steal data.
Dutch intelligence states that the attack vectors used by Laundry Bear, with non-particularly complex techniques, hinder attribution. They have observed certain similarities between Laundry Bear’s operations and the modus operandi of APT28. However, they conclude that Laundry Bear and APT28 are two distinct threat actors. Microsoft links Laundry Bear’s targets with Sandworm Team and APT28 ones.
From the information published by the Dutch intelligence and Microsoft, and stating that the simple techniques used by Laundry Bear hinder their attribution, it is possible to state that:
- Almost certainly, Laundry Bear is a threat actor sponsored by the Russian government. The targeted sectors and geographical regions are aligned with the Russian interests, again with a focus in Ukraine. In addition, the targeting of NGO is aligned with strategically motivated threat actors, particularly with state-sponsored ones.
- Probably, Laundry Bear is linked to the Russian GRU. Its special interest in the military, and its knowledge about the military market, increase the probabilities that it is a military intelligence threat actor. However, other Russian threat actors outside the GRU have been also targeting the military, including Turla or Gamaredon (FSB) and APT29 (SVR).
- There are chances about even that Laundry Bear is a new threat actor. The simple techniques executed by Laundry Bear are commonly used by other threat actors, even by advanced ones. From the published information, it is not possible to state with high confidence that we are facing a new threat actor.
Summarizing, Laundry Bear (or Void Blizzard) is a Russian threat actor, probably linked to the GRU, but it remains unclear if it is a new group or it is linked to the cyberspace operations units of the Russian intelligence services (particularly, to GRU’s units 26165, 74455 or 29155). We are sure that Dutch intelligence or Microsoft will soon release new intelligence regarding this threat actor.
Leave a Reply