Void Blizzard: Russia-Linked Threat Actor Escalates Cyberespionage on Critical Sectors Globally

A newly identified Russia-affiliated threat actor Void Blizzard (also tracked as LAUNDRY BEAR) has ramped up cyberespionage campaigns against key sectors across Europe, North America, and Ukraine, according to Microsoft Threat Intelligence (published 20 May 2025). These operations, designed to gather sensitive intelligence aligned with Russian state interests, now pose an elevated risk to NATO allies and sectors critical to national security.

WHO, WHAT, WHEN: THE VOID BLIZZARD TIMELINE

A Coordinated Campaign Backed by the Kremlin?

• Threat Actor Name: Void Blizzard (aka LAUNDRY BEAR)
• Affiliation: Russian state interests (assessed with high confidence by Microsoft)
• Active Since: At least April 2024, with notable uptick observed in April 2025
• Primary Targets:
  • Sectors: Government, defense, telecommunications, media, NGOs, healthcare, transportation, and IT
  • Regions: Europe, North America, and especially Ukraine

Microsoft analysts, in collaboration with the Netherlands General Intelligence and Security Service (AIVD), the MIVD, and the U.S. FBI, have attributed the campaigns to Void Blizzard based on overlapping infrastructure and tooling used in past Russian APT operations.

In October 2024, Void Blizzard successfully compromised accounts at a Ukrainian aviation organization, previously targeted by GRU-linked groups like Seashell Blizzard and Forest Blizzard, indicating shared intelligence goals.

TTPs: Tools, Techniques, and Procedures of Void Blizzard

MITRE ATT&CK MAPPING

Boxed Summary

• Initial Access:
  • T1078 (Valid Accounts)
  • T1110.003 (Password Spraying)
  • T1566.001 (Phishing: Spear Phishing Attachment)
• Credential Access:
  • T1556.002 (Adversary-in-the-Middle – Evilginx)
• Collection & Exfiltration:
  • T1114.002 (Email Collection: Email Forwarding Rule)
  • T1119 (Automated Collection)
  • T1530 (Data from Cloud Storage)
• Command & Control:
  • T1071.001 (Application Layer Protocol: Web Protocols)

Initial Access Methods: Unsophisticated Yet Effective

Void Blizzard typically purchases stolen credentials from infostealer marketplaces and uses them to access Exchange Online and SharePoint Online environments. Since April 2025, they’ve expanded to more targeted spear phishing, such as:

• Spoofed invitations to the European Defense and Security Summit
• PDF attachments with malicious QR codes redirecting to a phishing domain: micsrosoftonline[.]com
• Credential harvesting via Evilginx framework for adversary-in-the-middle (AitM) attacks

Post-Exploitation: Exploiting Cloud APIs

Once inside, Void Blizzard harvests data by abusing cloud APIs like Microsoft Graph to:

• Access emails (including shared mailboxes)
• Scrape Microsoft Teams messages
• Map Microsoft Entra ID configurations using AzureHound

This level of access suggests automation, allowing the attacker to collect large data sets with minimal effort.

MEA AND GLOBAL CONTEXT

Middle East & Africa: Under the Radar or Under Threat?

While direct Void Blizzard targeting in Middle East or African countries has not yet been confirmed, the actor’s focus on global cloud infrastructure poses a latent threat to critical infrastructure in the region. Countries like Saudi Arabia, the UAE, and South Africa, with growing digital footprints in healthcare, defense, and telecommunications, should consider themselves potential indirect targets.

The increasing adoption of cloud services, remote collaboration platforms, and reliance on foreign software supply chains makes MEA nations attractive footholds for surveillance or staging attacks on other allies.

Comparison: Just Another Blizzard?

Void Blizzard overlaps with several known GRU-affiliated actors:

As John Lambert, Head of Microsoft Threat Intelligence notes:

“Void Blizzard exemplifies how even moderately resourced actors can yield high-value results when targeting the right sectors persistently.”

ACTIONABLE TAKEAWAYS FOR DEFENDERS

1. Mandate Multi-Factor Authentication (MFA) across all cloud apps and enforce conditional access policies.
2. Monitor for typosquatted domains impersonating identity providers or company portals.
3. Harden Exchange Online and SharePoint access by disabling legacy authentication protocols.
4. Conduct regular phishing simulations and awareness training using services like these.
5. Enable sign-in risk-based Conditional Access policies to block suspicious authentication attempts.
6. Audit use of Microsoft Graph and Teams APIs for anomalous activity from service accounts or unexpected IP ranges.
7. Deploy detection rules for AitM infrastructure indicators (e.g., Evilginx URLs).
8. Review Risky Sign-ins and User Risk Reports in Azure AD frequently.
9. Coordinate with national cybersecurity centers for sector-specific threat intel.
10. Consider isolating sensitive data from cloud-based collaboration platforms for at-risk departments.

CONCLUSION: A Familiar Pattern, a Growing Threat

Void Blizzard’s operations highlight a resurgent wave of Russian cyberespionage that combines unremarkable tools with sharp targeting. Their evolution from credential theft to AitM phishing underscores a shift toward more agile, modular tradecraft. While MEA nations are not primary targets yet, their strategic alignment with NATO and growing digital transformation make vigilance imperative. CISOs and policy leaders must stay ahead through proactive defense, collaboration, and continuous updates from verified threat intelligence sources.

SOURCES

• Microsoft Threat Intelligence Report on Void Blizzard (20 May 2025)
• Netherlands AIVD – Intelligence Reports
• MIVD (Dutch Defense Intelligence)
• U.S. FBI Threat Alerts
• MITRE ATT&CK Techniques
• AzureHound Tool on GitHub
• Evilginx Framework on GitHub
• CyberCory: Cybersecurity news, alerts, best practices, trends
• Saintynet: Security services, pentesting, awareness training