A previously unknown Russian-backed cyberespionage group tracked as Void Blizzard has been linked to a September 2024 Dutch police security breach.
As the Dutch national police (Politie) revealed last year, the attackers stole work-related contact information of multiple officers, including names, email addresses, phone numbers, and, in some cases, private details.
The Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) on Tuesday linked Void Blizzard to this breach in a joint advisory issued on Tuesday, warning that it is highly probable that these Russian hackers also breached other Dutch organizations.
As the advisory explains, Void Blizzard accessed a Dutch police employee’s account in September 2024 and stole work-related contact information through the Global Address List (GAL).
The investigation revealed that the attackers likely used a pass-the-cookie attack, impersonating the cookie’s owner using a cookie stolen via infostealer malware and bought on a criminal marketplace. This allowed the threat actor to access information without a username or password.
“We have seen that this hacker group successfully gains access to sensitive information from a large number of (government) organizations and companies worldwide. They have a specific interest in countries of the European Union and NATO,” said Vice Admiral Peter Reesink, MIVD’s director.
“Laundry Bear is after information about the purchase and production of military equipment by Western governments and Western deliveries of weapons to Ukraine.”
Who is Void Blizzard?
Also tracked as Laundry Bear by Dutch intelligence services, this hacking crew has been active since at least April 2024 and focused on targeting Ukraine and NATO member states in attacks aligned with Russian strategic objectives.
The Russian hackers’ tactics, techniques, and procedures (TTPs) include using stolen credentials and spear-phishing emails to breach their targets’ defenses.
Once in, they’ve been observed harvesting and exfiltrating files and emails from their victims’ compromised systems.
“Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America,” Microsoft said in a Tuesday report.
“In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general.”
Void Blizzard has breached organizations in various sectors in Ukraine, including transportation and defense. In October 2024, they also compromised user accounts at a Ukrainian aviation entity previously targeted in 2022 by APT44 (Seashell Blizzard), linked to the Russian General Staff Main Intelligence Directorate (GRU).
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
