CyberSecurity news

FlagThis - #russianhackers

@www.helpnetsecurity.com //

Russian Cyber Group Laundry Bear Targets Dutch Police

A newly identified Russian cyber-espionage group, known as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively targeting Western organizations since at least April 2024. This group is believed to be backed by the Russian government and is primarily focused on gathering intelligence to support Russian strategic interests. Laundry Bear's targets include government entities, defense contractors, aerospace firms, and high-tech businesses in Europe and North America, particularly those supporting Ukraine. The group's activities suggest an interest in sensitive information related to military goods, weapons deliveries, and advanced technologies that are difficult for Russia to acquire due to Western sanctions.

The primary objective of Laundry Bear is to steal sensitive emails and files from compromised systems. They achieve this by targeting cloud-based email environments, specifically Microsoft Exchange. The group employs a range of techniques, including pass-the-cookie attacks, password spraying, and spear phishing aimed at credential theft. Notably, the Dutch intelligence services identified Laundry Bear during an investigation into a credential-stealing attack against the Dutch National Police in September 2024. During this attack, Laundry Bear gained access to an account belonging to a Dutch police employee by using a stolen session cookie to obtain work-related contact information of other police employees.

Microsoft has also observed Laundry Bear targeting critical sectors such as government, defense, transportation, media, NGOs, and healthcare, with a focus on organizations in Europe, North America, NATO member states, and Ukraine. The group frequently gains access by using stolen credentials, likely purchased from online marketplaces. Despite employing relatively simple attack methods and readily available tools, Laundry Bear has achieved a high success rate due to quick-paced cyber operations and efficient automation. Microsoft recommends organizations implement robust security measures to defend against such threats.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The Hacker News: Microsoft has shed light on a previously undocumented cluster of malicious activity originating from a Russia-affiliated threat actor dubbed Void Blizzard (aka Laundry Bear) that it said is attributed to worldwide cloud abuse.
  • www.helpnetsecurity.com: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • Threats | CyberScoop: New Russian state-sponsored APT quickly gains global reach, hitting expansive targets
  • therecord.media: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.microsoft.com: Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The post appeared first on Microsoft Security Blog.
  • www.defensie.nl: Onbekende Russische groep achter hacks Nederlandse doelen - Unknown Russian group behind hacks of Dutch targets - "is behind the hacks on several Dutch organizations, including the police in September 2024.
  • Help Net Security: Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group
  • thecyberexpress.com: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets
  • www.csoonline.com: New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police
  • The Register - Security: New Russian cyber-spy crew Laundry Bear joins the email-stealing pack
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityonline.info: Void Blizzard: New Russian Cyberespionage Group Targets NATO and Ukraine
  • securityaffairs.com: Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
  • industrialcyber.co: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • Virus Bulletin: Microsoft Threat Intelligence, in colaboration with Dutch security organizations AIVD & MIVD, observed Void Blizzard (a.k.a. LAUNDRY BEAR) conducting espionage operations primarily targeting organizations that are important to Russian government objectives.
  • Industrial Cyber: Microsoft details Void Blizzard as Russian cyber threat targeting global critical infrastructure
  • www.cybersecuritydive.com: Microsoft, Dutch government spot new Russian hacking group targeting critical infrastructure
  • Metacurity: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • www.metacurity.com: Russian group Laundry Bear hacked Dutch police, targets Ukraine-allied nations
  • Vulnerable U: Void Blizzard hackers raid NATO cloud tenants with Evilginx phishing
  • Danny Palmer: A new Russian APT (LAUNDRY BEAR) is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.
  • The Record: Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard.
  • www.scworld.com: Russian hackers Void Blizzard step up espionage campaign
  • The Hacker News: Russia-Linked Hackers Target Tajikistan Government with Weaponized Word Documents
Classification:
  • HashTags: #RussianHackers #CyberEspionage #APT
  • Company: Dutch Intelligence
  • Target: Dutch Police, NATO member states
  • Attacker: Laundry Bear (Void Blizzard)
  • Product: Microsoft Exchange
  • Feature: pass-the-cookie
  • Malware: Evilginx
  • Type: Espionage
  • Severity: Major
@www.volexity.com //

Russian APTs Target Microsoft 365 Using OAuth Theft

Russian threat actors have been actively targeting Microsoft 365 accounts belonging to individuals and organizations with connections to Ukraine and human rights causes. These malicious actors are exploiting legitimate OAuth 2.0 authentication workflows to gain unauthorized access. Researchers at Volexity have been monitoring these campaigns since early March 2025, observing a shift in tactics from previous device code phishing attempts to methods that rely more heavily on direct interaction with targets. These new attacks involve convincing victims to click on links and provide Microsoft-generated codes.

These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes.

Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberpress.org: Cybersecurity firm Volexity has identified a series of sophisticated cyberattacks orchestrated by Russian threat actors abusing Microsoft’s OAuth 2.0 authentication workflows.
  • securityonline.info: Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
  • The Hacker News: Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp
  • www.volexity.com: Volexity blog on Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
  • Virus Bulletin: Volexity researchers observed multiple Russian threat actors targeting individuals & organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.
  • bsky.app: Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees of organizations related to Ukraine and human rights.
  • Security Risk Advisors: Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
  • The DefendOps Diaries: Learn how cybercriminals exploit OAuth 2.0 to hijack Microsoft 365 accounts and discover strategies to mitigate these sophisticated threats.
  • Email Security - Blog: Detailed analysis of the phishing technique.
  • Virus Bulletin: Russian APTs targeting Ukraine supporters with sophisticated Microsoft 365 OAuth phishing.
  • www.helpnetsecurity.com: Attackers phish OAuth codes, take over Microsoft 365 accounts
  • gbhackers.com: Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations
  • BleepingComputer: Russian hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
  • Cyber Security News: CyberPress on Russian Hackers Abuse Microsoft OAuth 2.0 to Breach Organizations
  • www.sentinelone.com: AI empowers organizations to optimize detection, Russia-nexus actors exploit MS OAuth workflows, and cybercrime hit $16B in losses in 2024.
  • slashnext.com: Technical details and vulnerabilities highlighted.
  • www.scworld.com: Explanation of the tool used in the attack.
Classification:
  • HashTags: #OAuthPhishing #Microsoft365 #RussianAPT
  • Company: Microsoft
  • Target: Ukraine supporters and human rights organizations
  • Attacker: Russian APT
  • Product: Microsoft 365
  • Feature: OAuth Authorization Code Theft
  • Type: Phishing
  • Severity: Major

Posts

Blogs

Research Tools