CyberSecurity news
FlagThis
@www.helpnetsecurity.com
//
A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.
The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.
Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.
ImgSrc: img.helpnetsecu
References :
The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.
Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.
ImgSrc: img.helpnetsecu
Share:
References :
- The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
- www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
- Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
- therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
- www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post appeared first on Microsoft Security Blog.
- www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
- Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
- thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
- www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
- The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
- securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
- securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
- securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
- industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
- Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
- Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
- www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
- Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
- www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
- Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
- Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.
- The Record: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
- www.scworld.com: Russian hackers Void Blizzard step up espionage campaign
- The Hacker News: Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents
Classification:
- HashTags: #RussianHackers #CyberEspionage #APT
- Company: Dutch Intelligence
- Target: Dutch Police, NATO member states
- Attacker: Laundry Bear (Void Blizzard)
- Product: Microsoft Exchange
- Feature: pass-the-cookie
- Malware: Evilginx
- Type: Espionage
- Severity: Major