Full Report
Laundry Bear, a group recently identified by Dutch intelligence and security services, stole work-related contact details on the Netherlands’ national police force in September 2024, Microsoft researchers said. The post New Russian state-sponsored APT quickly gains global reach, hitting expansive targets appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Laundry Bear / Void Blizzard
## Attribution & Identity
- **Attribution:** Russian state-sponsored APT group.
- **Known Aliases and Associated Groups:** Microsoft tracks this group as **Void Blizzard**. Identified by Dutch intelligence and security services.
## Activity Summary
Laundry Bear/Void Blizzard has been active since at least mid-2024, rapidly gaining global reach through an active espionage campaign supporting Moscow's interests. They have successfully infiltrated and stolen data from numerous organizations across various sectors globally, especially within NATO member states and Ukraine. A notable recent operation involved infiltrating the Netherlands’ national police force in September 2024 and stealing work-related contact details concerning police staff.
## Tactics, Techniques & Procedures
- **Initial Access:** Lacks sophistication, relying on stolen credentials (likely procured from commodity infostealer ecosystems) and performing password spray attacks.
- **Lateral Movement/Action on Objectives:** Uses stolen credentials to gain initial access primarily to **Exchange and SharePoint Online**.
- **Data Collection:** Abuses legitimate cloud APIs to sift through mailboxes and cloud-hosted files.
- **Data Exfiltration:** Automates bulk theft of cloud-hosted data.
- **Espionage:** Has accessed Microsoft Teams conversations and messages, and cataloged Microsoft Entra ID configurations.
- **Note on TTPs:** Researchers noted that while their TTPs are not unique or necessarily advanced, their widespread success highlights the danger of determined actors leveraging even unsophisticated methods.
- **MITRE ATT&CK IDs:** Not explicitly provided in the summary.
## Targeting
- **Sectors:** Government agencies, defense suppliers, critical infrastructure providers, communications, IT, health care, education, media, and transportation.
- **Geography:** Global reach, with specific targeting noted in NATO member states and Ukraine.
- **Victims:** Netherlands’ national police force (stole work-related contact details), multiple government organizations, and multiple companies worldwide.
## Tools & Infrastructure
- **Malware Families Used:** Not specified in the article content provided.
- **Infrastructure (C2, domains, IPs):** Focus is on abusing legitimate cloud services (Exchange, SharePoint Online, Microsoft Teams, Microsoft Entra ID) rather than custom C2 infrastructure being detailed.
## Implications
This actor poses an enduring threat due to their successful application of relatively unsophisticated, credential-based TTPs leveraged by a determined, state-sponsored entity. Their primary objective is intelligence gathering concerning Western military support for Ukraine, indicating a direct link to geopolitical motivations. The success against critical sectors suggests a significant reconnaissance capability targeting military supply chains.
## Mitigations
- Focus on robust defense against credential theft (e.g., multi-factor authentication, strong credential hygiene).
- Monitor and investigate suspicious access related to legitimate cloud APIs, Exchange, and SharePoint Online instances.
- Implement protections to limit the efficacy of password spray attacks.
- Enhance monitoring around attempts to enumerate or catalog Microsoft Entra ID configurations.