(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about void blizzard?
2. Are there any known overlaps or links between Void Blizzard and other APT groups targeting similar sectors, and what are the implications for attribution?
3. How do the TTPs of Void Blizzard compare in detail with those of APT28 and other Russian APTs to refine attribution and response?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

Suggested Pivot

How effective are Void Blizzard’s adversary-in-the-middle (AitM) spear-phishing campaigns using typosquatted domains like micsrosoftonline[.]com compared to similar tactics employed by APT28 and APT29, and what advanced email security controls and user training methods can best mitigate these evolving phishing threats?
(Rationale: The April 2025 shift to AitM spear-phishing represents a significant escalation in sophistication, requiring prioritized defensive measures.)

TL;DR

Key Points

1. • Void Blizzard (aka Laundry Bear) is a newly identified Russian GRU-linked APT active since April 2024, specializing in credential theft, adversary-in-the-middle (AitM) phishing, and cloud API abuse.
   • Their operations target government, defense, NGOs, and critical infrastructure across NATO, the U.S., Ukraine allies, and Western Europe.
2. • The group’s TTPs include password spraying, session cookie theft (pass-the-cookie), AitM spear-phishing with typosquatted domains (e.g., micsrosoftonline[.]com), and extensive abuse of Microsoft Exchange Online and Graph APIs for stealthy data exfiltration.
   • They avoid custom malware, relying on living-off-the-land (LOTL) techniques, PowerShell, and tools like AzureHound for cloud environment enumeration.
3. • Notable breaches include the 2024 Dutch police compromise and spear-phishing campaigns against over 20 NGOs in Europe and the U.S. in April 2025.
   • Their methods bypass traditional MFA and endpoint detection, complicating defense and attribution.
4. • Immediate mitigations: enforce phishing-resistant MFA, enhance email and cloud security monitoring, audit mailbox and API activity, and deploy behavioral analytics for LOTL detection.
   • Prioritize detection of typosquatted domains, anomalous API calls, and session cookie theft.
5. • Forecasts indicate escalation of AitM phishing, increased cloud API abuse, and potential adoption of these TTPs by other Russian and non-Russian APTs.
   • Intelligence sharing and regulatory pressure on cloud/identity security are expected to intensify.

Executive Summary

Void Blizzard, a Russian state-sponsored APT attributed to the GRU and tracked as Laundry Bear by Dutch intelligence, has rapidly emerged as a major cyber espionage threat since April 2024. The group targets government, defense, telecommunications, NGOs, and critical infrastructure across NATO, the U.S., and Ukraine-aligned states, with a focus on credential theft and cloud-native attack vectors.

Their operations are characterized by initial access via password spraying, infostealer-derived credentials, and session cookie theft (pass-the-cookie). In 2024, they compromised Dutch police accounts, and by April 2025, shifted to highly targeted AitM spear-phishing using typosquatted domains and the Evilginx framework, successfully breaching over 20 NGOs. Void Blizzard extensively abuses Microsoft Exchange Online and Graph APIs for data exfiltration, leveraging AzureHound for cloud environment reconnaissance, and relies on living-off-the-land (LOTL) techniques and PowerShell to evade detection—eschewing custom malware entirely.

Comparative analysis shows Void Blizzard’s TTPs overlap with APT28, APT29, and Turla, but their focus on cloud API abuse and AitM phishing is distinct and increasingly sophisticated. Their campaigns bypass traditional MFA and endpoint defenses, making detection and response challenging.

Operational recommendations include enforcing phishing-resistant MFA (FIDO2, passkey), advanced email filtering for AitM/typosquatting, continuous cloud API monitoring, centralized identity management, and behavioral analytics for LOTL activity. Detection strategies should focus on anomalous API usage, session cookie theft, and PowerShell abuse, leveraging SIEM, EDR, and threat intelligence feeds.

Short-term forecasts predict intensification of AitM phishing and cloud API abuse, while long-term trends suggest proliferation of these TTPs among other APTs, increased regulatory focus on cloud/identity security, and the development of advanced detection solutions. Intelligence gaps remain regarding Void Blizzard’s full operational scope, especially in the U.S., underscoring the need for enhanced intelligence sharing and multinational defense coordination.

Research & Attribution

Historical Context

Void Blizzard, also known as Laundry Bear by Dutch intelligence agencies (AIVD and MIVD), is a newly identified Russian state-sponsored cyber espionage group active since at least April 2024. The group has conducted significant espionage campaigns targeting government, defense, telecommunications, healthcare, education, NGOs, media, and critical infrastructure sectors, primarily in NATO member states, Ukraine allies, Europe, and North America. Their operations include a notable 2024 campaign against the Dutch police, where they used stolen session cookies to access sensitive contact information. Void Blizzard's activities align with Russian strategic objectives, particularly in the context of the Russia-Ukraine conflict and NATO relations.

Timeline

• April 2024: Void Blizzard activity begins, primarily using password spraying and stolen credentials from infostealer malware ecosystems.
• September 2024: Successful compromise of Dutch police accounts via pass-the-cookie attack.
• October 2024: Compromise of Ukrainian aviation organization accounts previously targeted by other Russian APTs.
• April 2025: Shift to targeted spear-phishing campaigns using adversary-in-the-middle (AitM) techniques with typosquatted domains and Evilginx framework, targeting NGOs in Europe and the U.S.
• May 2025: Public disclosure of Void Blizzard's TTPs by Microsoft Threat Intelligence and Dutch intelligence agencies.

Origin

Void Blizzard is attributed to Russian state-sponsored cyber espionage operations, with strong links to Russian military intelligence (GRU). The group is distinct but shares operational overlaps with other Russian APTs such as APT28 (Fancy Bear), APT29 (Cozy Bear), and Turla, reflecting a coordinated Russian intelligence effort.

Countries Targeted

1. Netherlands – Targeted in a high-profile 2024 campaign against Dutch police.
2. United States – Targeted in espionage campaigns against government, defense, NGOs, and critical infrastructure.
3. Ukraine Allies – Targeting aligned with Russian geopolitical interests.
4. NATO Member States – Broad targeting of allied governments and organizations.
5. Other Western Countries – Including those hosting NGOs and critical infrastructure.

Sectors Targeted

1. Government – Espionage targeting government agencies and officials.
2. Defense and Aerospace – Targeting military and defense contractors.
3. Telecommunications – Accessing communications infrastructure.
4. Healthcare and Education – Targeting sensitive data and research.
5. NGOs and Media – Espionage and influence operations.

Motivation

Void Blizzard is motivated by Russian state-sponsored espionage objectives to collect intelligence supporting military, political, and strategic goals, especially related to the Russia-Ukraine conflict and NATO.

Attack Types

• Initial access via password spraying, stolen credentials, and session cookie theft (pass-the-cookie).
• Spear-phishing with adversary-in-the-middle (AitM) phishing traps using typosquatted domains (e.g., micsrosoftonline[.]com) and Evilginx.
• Abuse of legitimate Microsoft cloud APIs (Exchange Online, Microsoft Graph) for bulk data collection.
• Enumeration of Microsoft Entra ID configurations using AzureHound.
• Accessing Microsoft Teams conversations via web client.
• Use of living-off-the-land (LOTL) techniques with no custom malware.

Known Aliases

1. Void Blizzard (Microsoft)
2. Laundry Bear (Dutch Intelligence Services: AIVD and MIVD)

Links to Other APT Groups

Void Blizzard shares targeting overlaps and some TTP similarities with Russian APT groups such as APT28 (Fancy Bear), APT29 (Cozy Bear), and Turla (Venomous Bear). However, it is considered a distinct actor with a unique operational profile, particularly in its recent adoption of cloud API abuse and AitM phishing.

Similar Threat Actor Groups

• APT28 (Fancy Bear): Russian GRU-linked group known for espionage and influence operations targeting Western governments and critical infrastructure.
• APT29 (Cozy Bear): Russian intelligence group focused on espionage against government and diplomatic targets.
• Turla (Venomous Bear): Russian espionage group with sophisticated malware and long-term campaigns.

Breaches Involving This Threat Actor

• September 2024: Compromise of Dutch police accounts resulting in theft of work-related contact details.
• Multiple compromises of Ukrainian aviation and defense-related organizations.
• Targeting of over 20 NGOs in Europe and the U.S. via spear-phishing in April 2025.

Comparative Analysis of TTPs: Void Blizzard vs. APT28 and Other Russian APT Groups

Targeting Patterns Against the United States (Last Two Years)

• Void Blizzard has targeted U.S. government agencies, defense contractors, NGOs, and critical infrastructure sectors through credential theft and sophisticated spear-phishing campaigns.
• APT28 continues to target U.S. logistics, technology, and government sectors with phishing, malware, and zero-day exploits.
• Other Russian APT groups maintain persistent espionage campaigns against U.S. critical infrastructure and political entities.
• Specific incidents involving Void Blizzard in the U.S. include spear-phishing campaigns targeting NGOs and critical sectors, though detailed breach disclosures remain limited.
• Intelligence gaps exist regarding the full scope of Void Blizzard's U.S. operations; continuous monitoring and threat intelligence sharing are recommended.

Mitigation and Detection Recommendations for Operational Cybersecurity Teams

Top 3 Immediate Actions

1. Enforce Multi-Factor Authentication (MFA) and Sign-in Risk Policies

   • Implement conditional access policies that block or require MFA for risky sign-ins.
   • Prefer phishing-resistant MFA methods such as FIDO tokens or Microsoft Authenticator with passkey.
   • Avoid telephony-based MFA to mitigate SIM-jacking risks.

2. Enhance Email Security and Phishing Defenses

   • Deploy advanced email filtering to detect typosquatting domains and AitM phishing attempts.
   • Conduct targeted user training on spear-phishing and social engineering.
   • Implement DMARC, DKIM, and SPF to prevent email spoofing.

3. Monitor and Audit Cloud API Usage

   • Use cloud security posture management (CSPM) and Microsoft Defender for Cloud Apps to detect anomalous API calls.
   • Audit mailbox access and delegate permissions regularly.
   • Monitor for unusual Microsoft Teams web client activity.

Additional Mitigation Strategies

• Centralize identity management and log authentication data to SIEM for anomaly detection.
• Apply least privilege and credential hygiene principles, rotating credentials after suspected compromise.
• Use endpoint detection and response (EDR) with behavioral analytics to detect PowerShell and LOTL activity.
• Segment networks to limit lateral movement.

Detection Strategies with Examples

• Detect AitM phishing via monitoring for typosquatted domains like micsrosoftonline[.]com (T1557.001).
• Monitor for suspicious Exchange Web Services (EWS) and Outlook Web Access (OWA) activity (T1560).
• Use Microsoft Defender XDR hunting queries for password spray (T1110), anomalous sign-ins, and session cookie theft (T1539).
• Leverage Sigma rules and YARA signatures for detecting LOTL and PowerShell abuse (T1086).
• Correlate alerts across email, endpoint, and cloud environments for comprehensive visibility.

Recommendations, Actions and Next Steps

Void Blizzard employs advanced TTPs, including password spraying, session cookie theft (pass-the-cookie), adversary-in-the-middle (AitM) spear-phishing with typosquatted domains, and extensive abuse of Microsoft cloud APIs (Exchange Online, Microsoft Graph). These tactics enable stealthy credential theft and bulk data exfiltration without custom malware, highlighting the need for robust identity and cloud security controls.

1. Enforce phishing-resistant multi-factor authentication (MFA) across all high-risk sectors (government, defense, NGOs, critical infrastructure). Implement conditional access policies that block or require MFA for risky sign-ins, favoring hardware security keys (FIDO2) or Microsoft Authenticator with passkey. Avoid telephony-based MFA to mitigate SIM-jacking risks. Follow Microsoft’s Conditional Access policy playbook and configure alerting thresholds for anomalous sign-in attempts (e.g., multiple failed logins, sign-ins from unusual locations).

   • MITRE: T1110 (Password Spraying), T1078 (Valid Accounts)

2. Deploy advanced email security controls to detect and block AitM spear-phishing attacks using typosquatted domains and Evilginx frameworks. Implement DMARC, DKIM, and SPF to prevent email spoofing. Use threat intelligence feeds to update filters with known malicious domains such as micsrosoftonline[.]com. Conduct targeted user awareness training on recognizing sophisticated phishing techniques. Leverage Microsoft Defender for Office 365 anti-phishing policies and configure alerts for detected typosquatting domains.

   • MITRE: T1566.001 (Spearphishing Attachment), T1557.001 (Adversary-in-the-Middle)

3. Implement continuous monitoring and auditing of cloud API usage, focusing on Microsoft Exchange Online and Microsoft Graph APIs. Use Cloud Security Posture Management (CSPM) tools and Microsoft Defender for Cloud Apps to detect anomalous or bulk data access patterns. Establish baseline normal API usage and configure alerts for deviations such as unusual mailbox access or delegate permission changes. Regularly audit mailbox permissions and delegate access. Integrate logs into SIEM for correlation.

   • MITRE: T1560 (Archive Collected Data), T1539 (Steal Web Session Cookie)

4. Centralize identity and access management with comprehensive logging of authentication events to a SIEM platform for real-time anomaly detection. Apply least privilege principles and rotate credentials promptly after suspected compromise. Use Microsoft Entra ID monitoring tools and Azure AD Identity Protection to detect suspicious activities such as enumeration via AzureHound. Configure automated response playbooks to disable compromised accounts and revoke sessions.

   • MITRE: T1087 (Account Discovery), T1539 (Steal Web Session Cookie)

5. Enhance endpoint detection and response (EDR) capabilities to identify living-off-the-land (LOTL) techniques, including PowerShell abuse and AzureHound enumeration. Deploy behavioral analytics and Sigma rules to detect suspicious PowerShell commands and anomalous lateral movement. Implement network segmentation to limit lateral movement and contain breaches. Use Microsoft Defender XDR hunting queries for detecting password spray and session cookie theft activities.

   • MITRE: T1086 (PowerShell), T1110 (Password Spraying)

MITRE ATT&CK IDs

T1110, T1539, T1078, T1566.001, T1557.001, T1560, T1087, T1086

Suggested Pivots

1. What specific indicators of compromise (IOCs), including examples of anomalous Microsoft Exchange Online and Microsoft Graph API calls, can be identified from Void Blizzard’s cloud API abuse, and how can these be operationalized within existing detection tools to enhance early identification of their campaigns?
   (Rationale: Given Void Blizzard’s extensive use of cloud API abuse for data exfiltration, detailed IOC development is critical for timely detection and response.)

2. How effective are Void Blizzard’s adversary-in-the-middle (AitM) spear-phishing campaigns using typosquatted domains like micsrosoftonline[.]com compared to similar tactics employed by APT28 and APT29, and what advanced email security controls and user training methods can best mitigate these evolving phishing threats?
   (Rationale: The April 2025 shift to AitM spear-phishing represents a significant escalation in sophistication, requiring prioritized defensive measures.)

3. What concrete methodologies, such as TTP mapping, infrastructure overlap analysis, and shared tooling examination, can be employed to delineate operational overlaps and potential coordination between Void Blizzard and other Russian APT groups (APT28, APT29, Turla), and how might these insights inform predictive threat modeling?
   (Rationale: Understanding inter-group relationships can reveal broader Russian cyber espionage strategies and improve attribution accuracy.)

4. Considering Void Blizzard’s targeting of NGOs and critical infrastructure across NATO member states and allied countries, what are the strategic implications for alliance-wide cybersecurity posture, and how can intelligence sharing frameworks be optimized to enhance collective defense against such state-sponsored espionage?
   (Rationale: The geopolitical impact of these campaigns necessitates coordinated multinational responses and intelligence collaboration.)

5. What are the current intelligence gaps regarding the full scope and scale of Void Blizzard’s operations within the United States and allied nations, and which additional collection capabilities or inter-agency information sharing mechanisms should be prioritized to close these gaps effectively?
   (Rationale: Addressing intelligence shortfalls is essential for comprehensive threat awareness and proactive defense.)

Forecast

Short-Term Forecast (3-6 months)

1. Intensification of AitM Spear-Phishing Campaigns Targeting NGOs and Critical Infrastructure

   • Void Blizzard’s April 2025 shift to adversary-in-the-middle (AitM) spear-phishing using typosquatted domains (e.g., micsrosoftonline[.]com) and the Evilginx framework will escalate, focusing on NGOs and critical infrastructure in Europe and the U.S. This technique bypasses traditional MFA and credential protections, enabling stealthy access to sensitive accounts.
   • Scenario: A European NGO involved in Ukraine-related humanitarian aid could experience a breach where attackers intercept MFA tokens via a typosquatted domain, gaining persistent access to donor and operational data, similar in impact to the SolarWinds supply chain compromise.
   • Supporting Evidence:
     • The April 2025 campaign targeting over 20 NGOs demonstrates the group’s operational success.
     • Analogous escalation of spear-phishing sophistication was observed with APT28 before their broader targeting campaigns.
   • This forecast is ranked highest due to the immediacy of the threat and the demonstrated effectiveness of these campaigns.

2. Expansion and Refinement of Cloud API Abuse for Data Exfiltration and Persistence

   • Void Blizzard will increase the frequency and sophistication of abusing Microsoft Exchange Online and Microsoft Graph APIs for bulk data collection and exfiltration. Their living-off-the-land (LOTL) approach, avoiding custom malware, complicates detection and response.
   • Scenario: A NATO defense contractor’s cloud mailboxes could be silently harvested over weeks via anomalous API calls, evading traditional endpoint detection, reminiscent of the stealthy data exfiltration seen in the 2020 SolarWinds incident.
   • Supporting Evidence:
     • Use of AzureHound for Microsoft Entra ID enumeration indicates deep reconnaissance capabilities.
     • Similar cloud API abuse has been documented in other Russian APT campaigns, underscoring a growing trend.
   • This forecast is critical for defenders to prioritize cloud security monitoring.

3. Persistent Use of Living-Off-the-Land (LOTL) Techniques and PowerShell for Stealth Operations

   • The group will continue leveraging PowerShell scripting and native tools to maintain stealth and evade detection, increasing the challenge for endpoint detection and response (EDR) solutions.
   • Scenario: An organization’s security team might detect anomalous PowerShell commands only after significant lateral movement, highlighting the need for behavioral analytics.
   • Supporting Evidence:
     • AzureHound and PowerShell use is consistent with Turla and other Russian APTs’ stealthy tactics.
   • This forecast emphasizes the need for enhanced EDR and behavioral monitoring.

4. Continued Credential Theft via Password Spraying and Session Cookie Theft

   • Password spraying and pass-the-cookie attacks will remain primary initial access methods, especially targeting government and defense sectors with weak credential hygiene.
   • Scenario: A government agency could suffer a breach through stolen session cookies from an infostealer infection, similar to the September 2024 Dutch police incident.
   • Supporting Evidence:
     • The Dutch police breach exemplifies the effectiveness of these methods.
     • These tactics are common among Russian APTs like APT29 and APT28.
   • This forecast remains relevant due to the simplicity and effectiveness of these techniques.

5. Strengthened Intelligence Sharing and Multinational Cyber Defense Coordination

   • NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), EU Cyber Rapid Response Teams (CRRT), and allied intelligence agencies will intensify information sharing and joint advisories to counter Void Blizzard’s campaigns.
   • Scenario: Following the public disclosure of Void Blizzard’s TTPs, NATO allies may conduct coordinated threat hunting exercises and share IOC feeds, similar to the collective response to APT28’s campaigns in 2018-2019.
   • Supporting Evidence:
     • Joint public disclosures by Dutch intelligence and Microsoft reflect growing multinational collaboration.
     • Historical precedents show alliance-driven intelligence sharing improves detection and mitigation.
   • This forecast is important for strategic defense but less immediate operationally.

Long-Term Forecast (12-24 months)

1. Evolution and Proliferation of AitM Phishing Techniques Among State-Sponsored Actors (Moderate Speculation)

   • Void Blizzard’s success with AitM phishing will likely inspire other Russian APTs (APT28, APT29) and potentially non-Russian state actors to adopt and evolve these techniques, increasing the sophistication and prevalence of phishing attacks.
   • Rationale: Historical patterns show Russian APTs adopting effective TTPs from each other; the integration of AI-driven social engineering and multi-vector phishing is plausible given current trends.
   • Scenario: A future campaign could combine AI-generated personalized phishing content with AitM frameworks, exponentially increasing success rates.
   • This forecast is ranked highest for long-term impact but is labeled as moderate speculation due to evolving technology and adversary innovation.

2. Deepening Focus on Cloud Identity Systems and Infrastructure Exploitation

   • Over the next 1-2 years, Void Blizzard and similar groups will intensify targeting of cloud identity systems (e.g., Microsoft Entra ID) and cloud infrastructure, exploiting misconfigurations and weak access controls to maintain persistence and conduct espionage.
   • Scenario: A critical infrastructure provider’s cloud environment could be compromised through privilege escalation enabled by AzureHound reconnaissance, leading to prolonged undetected access.
   • Supporting Evidence:
     • Emphasis on AzureHound use and cloud API abuse aligns with broader trends in Russian cyber espionage.
     • APT29’s documented cloud targeting supports this forecast.
   • This forecast is critical for organizations to prioritize cloud security and identity governance.

3. Emergence of Coordinated Multi-APT Campaigns Leveraging Shared Infrastructure and TTPs (Moderate Speculation)

   • Given operational overlaps with APT28, APT29, and Turla, coordinated or parallel campaigns leveraging shared infrastructure, tooling, and intelligence are likely to increase, maximizing impact against NATO and allied targets.
   • Rationale: Russian GRU-linked groups have historically coordinated operations; shared LOTL and cloud abuse techniques suggest modular, collaborative approaches.
   • Scenario: Simultaneous campaigns targeting multiple sectors with shared C2 infrastructure could overwhelm defenders, similar to the multi-vector campaigns seen in the 2022 Ukraine conflict cyber operations.
   • This forecast is important for strategic threat modeling but is moderate speculation due to limited direct evidence.

4. Regulatory and Industry Pressure to Harden Cloud and Identity Security

   • Regulatory bodies in the U.S. (e.g., CISA’s Binding Operational Directives) and EU (e.g., NIS2 Directive) will impose stricter security standards focused on phishing-resistant MFA, conditional access, and cloud API monitoring, especially for critical infrastructure and government sectors.
   • Scenario: Organizations failing to comply with enhanced MFA and cloud monitoring mandates could face penalties and increased breach risk.
   • Supporting Evidence:
     • Recent U.S. executive orders and EU cybersecurity legislation emphasize identity security and cloud governance.
     • Industry frameworks like NIST SP 800-63B and CIS Controls are evolving to address these threats.
   • This forecast is relevant for long-term organizational security planning.

5. Development and Adoption of Advanced Detection and Response Solutions for Cloud API Abuse and AitM Phishing

   • Security vendors and open-source communities will develop sophisticated detection tools and playbooks targeting cloud API abuse and AitM phishing, integrating AI/ML for anomaly detection and automated response.
   • Scenario: Microsoft Defender for Cloud Apps and XDR solutions will incorporate granular API behavior analytics and phishing detection, enabling earlier detection of stealthy campaigns.
   • Supporting Evidence:
     • Security product evolution shows increasing focus on cloud-native threat detection.
     • Community-driven Sigma rules and YARA signatures are expanding to cover LOTL and phishing frameworks like Evilginx.
   • This forecast is important for defenders to anticipate and adopt emerging technologies.

MITRE ATT&CK IDs

T1110, T1539, T1078, T1566.001, T1557.001, T1560, T1087, T1086

Appendix

References

1. (2025-05-27) – New Russia-affiliated actor Void Blizzard targets critical sectors for espionage – Microsoft Security Blog
2. (2025-05-27) – New Russian APT group Void Blizzard targets NATO-based orgs after infiltrating Dutch police – CSO Online
3. (2025-05-27) – Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack – Security Affairs
4. (2025-05-27) – New Russian cyber-spy crew Laundry Bear joins the pack – The Register
5. (2025-05) – CISA Alerts and Advisories (Recommended for ongoing monitoring of related threat intelligence and mitigation updates)

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what do you know about void blizzard?
2. Are there any known overlaps or links between Void Blizzard and other APT groups targeting similar sectors, and what are the implications for attribution?
3. How do the TTPs of Void Blizzard compare in detail with those of APT28 and other Russian APTs to refine attribution and response?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC
License - CC BY-SA 4.0

MITRE ATT&CK

Techniques

1. T1110 (Password Spraying)

   • Void Blizzard uses password spraying as a primary initial access method, targeting government, defense, and critical infrastructure sectors. This technique enables access to accounts with weak or reused passwords.

2. T1539 (Steal Web Session Cookie)

   • In the September 2024 Dutch police breach, Void Blizzard executed a pass-the-cookie attack by stealing session cookies through an infostealer infection. This allowed them to bypass password authentication and access sensitive police accounts stealthily.

3. T1078 (Valid Accounts)

   • The group leverages stolen credentials and valid accounts for persistence and lateral movement within targeted environments, including cloud services like Microsoft Exchange Online.

4. T1566.001 (Spearphishing Attachment)

   • Void Blizzard conducts spear-phishing campaigns using adversary-in-the-middle (AitM) phishing traps with typosquatted domains (e.g., micsrosoftonline[.]com) and the Evilginx framework to capture authentication tokens.

5. T1557.001 (Adversary-in-the-Middle)

   • The use of AitM phishing techniques enables the group to intercept multi-factor authentication tokens and session cookies, increasing the success rate of credential theft.

6. T1560 (Archive Collected Data)

   • Void Blizzard abuses Microsoft cloud APIs (Exchange Online, Microsoft Graph) to collect and exfiltrate large volumes of data without deploying custom malware.

7. T1087 (Account Discovery)

   • The group uses AzureHound, a component of the BloodHound toolset (S0521), to enumerate Microsoft Entra ID configurations and identify valuable accounts and permissions for further exploitation.

8. T1086 (PowerShell)

   • Living-off-the-land techniques such as PowerShell scripting are used for execution and automation, enabling stealthy operations without custom malware.

Tactics

1. TA0001 (Initial Access)

   • Techniques like password spraying, spear-phishing with AitM, and session cookie theft are employed to gain initial access to targeted networks.

2. TA0006 (Credential Access)

   • Credential theft through session cookie theft, AitM phishing, and password spraying is central to their operations.

3. TA0010 (Exfiltration)

   • The group exfiltrates data by abusing cloud APIs, enabling large-scale data collection without traditional malware.

Procedures

1. Pass-the-Cookie Attack in Dutch Police Breach

   • In September 2024, Void Blizzard compromised a Dutch police employee’s account by stealing web session cookies via an infostealer infection. This allowed them to bypass password authentication and access sensitive contact information without triggering typical credential-based alerts.

2. AitM Spear-Phishing with Typosquatted Domains

   • In April 2025, the group shifted to targeted spear-phishing campaigns using adversary-in-the-middle phishing traps. They employed typosquatted domains such as micsrosoftonline[.]com and the Evilginx framework to intercept authentication tokens and session cookies, enabling access to high-value NGO accounts in Europe and the U.S.

3. Cloud Environment Enumeration Using AzureHound (BloodHound Component)

   • Void Blizzard uses AzureHound to map Microsoft Entra ID configurations, identifying privileged accounts and permissions. This reconnaissance supports lateral movement and privilege escalation within cloud environments.

Software

1. S0483 (Evilginx)

   • Evilginx is used as an adversary-in-the-middle phishing framework to intercept authentication tokens and session cookies during spear-phishing campaigns.

2. S0521 (BloodHound)

   • BloodHound, with its AzureHound component, is used for Active Directory and Azure AD environment enumeration, aiding in account discovery and privilege escalation.

Mitigations

1. M1036 (Multi-factor Authentication)

   • Enforce phishing-resistant MFA methods such as hardware security keys (FIDO2) or Microsoft Authenticator with passkey to prevent credential theft and session hijacking.

2. M1027 (User Training)

   • Conduct targeted user training to recognize sophisticated spear-phishing and AitM phishing attacks, including awareness of typosquatted domains.

3. M1047 (Audit)

   • Implement continuous monitoring and auditing of cloud API usage, mailbox access, and delegate permissions to detect anomalous activity indicative of abuse.

Groups

1. Void Blizzard / Laundry Bear (Not yet assigned a formal MITRE Group ID)

   • A newly identified Russian state-sponsored cyber espionage group active since April 2024, linked to Russian military intelligence (GRU). Distinct from but operationally overlapping with other Russian APTs.

2. G0007 APT28 (Fancy Bear)

   • Russian GRU-linked group known for espionage and influence operations targeting Western governments and critical infrastructure. Shares some TTPs with Void Blizzard, such as credential theft and spear-phishing.

3. G0016 APT29 (Cozy Bear)

   • Russian intelligence group focused on espionage against government and diplomatic targets. Uses similar cloud and credential theft techniques.

4. G0010 Turla (Venomous Bear)

   • Russian espionage group with sophisticated malware and long-term campaigns. Provides context for the broader Russian cyber espionage ecosystem.