Laundry Bear: New Russian Cyber Espionage Group Targets NATO and Western Organizations

A sophisticated new Russian state-sponsored threat group has emerged on the cybersecurity radar, conducting widespread espionage operations against government agencies, defense contractors, and critical infrastructure organizations across NATO member states and Ukraine. Known as Laundry Bear by Dutch intelligence agencies and Void Blizzard by Microsoft, this group represents a significant and evolving threat to Western security interests.

Description of the Threat

Laundry Bear/Void Blizzard is a Russia-affiliated advanced persistent threat (APT) group that has been actively conducting espionage operations since at least April 2024. The group specifically targets organizations that are strategically important to Russian government objectives, focusing heavily on entities involved in military procurement, defense production, and weapons deliveries to Ukraine.

The threat actor demonstrates a clear understanding of military supply chains and defense technologies, suggesting coordination with Russian intelligence services. Their operations span multiple continents, with confirmed attacks against organizations in Europe, North America, and Asia-Pacific regions.

Severity of the Issue

The severity of this threat is classified as HIGH due to several critical factors:

• Global Reach: The group has successfully compromised organizations across virtually all NATO and EU member states
• High Success Rate: Dutch intelligence agencies report that Laundry Bear has a significantly higher success rate compared to other known Russian threat actors
• Strategic Targeting: Focus on defense contractors, government agencies, and organizations supporting Ukraine’s defense efforts
• Volume of Data Theft: Capability to steal large volumes of sensitive emails, files, and organizational intelligence
• Evasion Capabilities: Ability to operate undetected for extended periods by using legitimate cloud services and simple attack methods

How It Is Exploited

Laundry Bear employs several attack vectors to compromise target organizations:

Initial Access Methods:

• Password Spray Attacks: Using common passwords against multiple user accounts
• Pass-the-Cookie Attacks: Leveraging stolen session cookies purchased from cybercriminal marketplaces
• Credential Stuffing: Using stolen credentials obtained from information stealer malware
• Spear Phishing: Adversary-in-the-middle attacks using fake Microsoft Entra authentication pages

Post-Compromise Activities:

• Abuse of legitimate Microsoft cloud APIs (Exchange Online, Microsoft Graph) to enumerate mailboxes and files
• Automated bulk collection of emails and documents from compromised accounts
• Access to Microsoft Teams conversations and messages
• Enumeration of Microsoft Entra ID configurations using tools like AzureHound
• Exploitation of SharePoint environments to steal additional credentials

Notable Attack Campaign: In April 2024, the group conducted a sophisticated spear-phishing campaign targeting over 20 NGOs in Europe and the United States. They used a typosquatted domain “micsrosoftonline[.]com” to impersonate Microsoft’s authentication portal, distributing PDF attachments containing malicious QR codes that redirected victims to credential harvesting pages powered by the Evilginx phishing framework.

Who Is Behind the Issue

Laundry Bear is attributed to Russian state-sponsored cyber operations, likely coordinated by Russian intelligence services in support of the country’s strategic objectives regarding the conflict in Ukraine and broader geopolitical interests. While the specific Russian agency responsible has not been definitively identified, the group’s targeting patterns and objectives align with Russian military intelligence priorities.

The threat actor demonstrates:

• Knowledge of Western military procurement processes
• Understanding of defense supply chain dependencies
• Awareness of sanctions-restricted technologies that Russia seeks to obtain
• Coordination with broader Russian cyber espionage efforts

Dutch intelligence agencies note that while Laundry Bear operates as a distinct entity, many of their targets overlap with other well-known Russian threat groups including Forest Blizzard, Midnight Blizzard, and Secret Blizzard, suggesting shared intelligence collection priorities among different Russian cyber units.

Who Is at Risk

Organizations at highest risk include:

Government Entities:

• Defense and foreign affairs ministries
• Law enforcement agencies (confirmed breach of Dutch National Police)
• Military branches and armed forces
• Embassy and diplomatic missions

Defense and Aerospace:

• Defense contractors and suppliers
• Aerospace manufacturers
• Military equipment producers
• Organizations involved in weapons deliveries to Ukraine

Critical Infrastructure:

• Transportation companies
• Telecommunications providers
• Energy sector organizations
• Healthcare institutions

Technology and Business:

• High-tech companies producing advanced/restricted technologies
• IT service providers serving enterprise and government clients
• Non-governmental organizations (NGOs)
• Educational institutions

Geographic Focus:

• NATO member states (primary targets)
• European Union countries
• Ukraine and countries providing Ukrainian support
• Organizations in Eastern and Central Asia

 How CinchOps Can Help

As a trusted managed IT and cybersecurity partner, CinchOps understands the critical importance of protecting your organization against sophisticated state-sponsored threats like Laundry Bear. Our team of seasoned IT professionals brings over three decades of experience in implementing comprehensive security solutions that can defend against advanced persistent threats.

CinchOps provides comprehensive protection against Russian state-sponsored cyber threats through:

• Advanced Threat Detection and Response – Implementation of security tools that can identify and respond to sophisticated attack patterns, including behavioral analytics that detect unusual cloud API usage and automated bulk data collection attempts
• Cloud Security Architecture -Configuration of Microsoft 365 security features, including Exchange Online Protection, Microsoft Defender for Office 365, and advanced conditional access policies specifically designed to counter credential-based attacks
• Multi-Factor Authentication Implementation – Deployment of MFA solutions with risk-based authentication policies that can prevent pass-the-cookie attacks and credential stuffing attempts commonly used by Laundry Bear
• Security Awareness Training – Comprehensive employee education programs that teach staff to recognize sophisticated phishing attempts, including adversary-in-the-middle attacks and malicious QR code schemes
• Continuous Security Monitoring – 24/7 monitoring of your IT environment for indicators of compromise, with specialized focus on detecting the types of cloud-based attacks favored by advanced persistent threat groups
• Incident Response Planning – Development of detailed response procedures specifically tailored to counter state-sponsored espionage attempts, ensuring rapid containment and minimal data exposure
• Compliance and Risk Assessment – Regular security assessments to identify vulnerabilities that could be exploited by sophisticated threat actors, with particular attention to cloud security configurations
• Zero Trust Security Implementation – Deployment of comprehensive zero-trust architectures that assume no implicit trust and verify every access request, making it significantly harder for threat actors to move laterally within your environment

Don’t let sophisticated Russian cyber espionage groups like Laundry Bear compromise your organization’s sensitive data and strategic information. CinchOps has the expertise and proven track record to implement the advanced security measures necessary to defend against state-sponsored threats. Contact us today to schedule a comprehensive security assessment and learn how we can strengthen your defenses against these evolving cyber threats.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Chinese Hackers Exploit Cityworks Zero-Day to Breach U.S. Local Governments
For Additional Information on this topic: New Russian Cyber Threat ‘Laundry Bear’ Hits Western Targets

FREE CYBERSECURITY ASSESSMENT