Void Blizzard, a Russia-linked cyber threat group, is conducting wide-reaching espionage. Active since at least April 2024, this group has focused on NATO members, Ukraine, and critical sectors in Europe and North America. Microsoft Threat Intelligence has tracked the group’s evolving tactics, revealing a mix of low-complexity but high-impact operations.
The group, also known as LAUNDRY BEAR, uses stolen login credentials from underground markets to access target networks. Once inside, they harvest emails and sensitive files from compromised accounts. In April 2025, Void Blizzard began using more aggressive phishing techniques, such as adversary-in-the-middle (AitM) attacks, to capture login credentials directly from victims.
Sector Targets and Geographic Focus
Void Blizzard’s attacks are not random. Their victims are carefully chosen based on their strategic value to the Russian government. High-priority targets include:
- Government bodies and defense agencies
- NGOs and healthcare institutions
- Media, education, and transportation sectors
- Law enforcement and intergovernmental organizations
These attacks span both Europe and North America, with Ukraine being a recurring focus. In one incident, Void Blizzard compromised a Ukrainian aviation body previously targeted by other Russian groups. Their actions overlap with other known actors like Forest Blizzard, Secret Blizzard, and Midnight Blizzard, all believed to support Russian intelligence goals.
Methods of Attack and Cloud Exploitation
Void Blizzard typically gains initial access via password spraying or through credentials stolen via malware. These credentials often grant them entry to Microsoft Exchange and SharePoint Online. In April 2025, they expanded their approach by launching a targeted spear-phishing campaign using a fake Microsoft Entra login page.
They spoofed a Microsoft authentication portal with a typosquatted domain. Victims received fake event invitations from the “European Defense and Security Summit,” leading them to a phishing page via QR code. The phishing infrastructure, powered by the Evilginx framework, captured login credentials and authentication cookies.
Post-Infiltration Behavior and Cloud Data Harvesting
Once inside, Void Blizzard moves quickly to collect data. They exploit legitimate tools like Exchange Online and Microsoft Graph APIs to list and access user mailboxes. They often extract large volumes of email and cloud-hosted files, especially shared folders accessible to compromised users.
In some cases, the group has accessed Microsoft Teams chats and used tools like AzureHound to analyze the organization’s identity structure. This includes users, roles, and device data—valuable for lateral movement and long-term surveillance.
Conclusion: Ongoing Vigilance Required
Void Blizzard’s operations reflect a persistent and adaptable threat. Despite relying on simple methods, they continue to succeed through focused targeting and cloud abuse. Microsoft credits partners like the Netherlands’ AIVD, MIVD, and the US FBI for supporting the investigation.
At Eye World, we emphasize proactive monitoring, credential hygiene, and phishing awareness. Organizations must recognize that even unsophisticated techniques, when executed persistently, pose a real risk to digital infrastructure and national security.
