National Cyber Warfare Foundation (NCWF)

Void Blizzard
1 user ratings		2025-05-30 23:19:27
blscott

Void Blizzard: A New Russian State-Sponsored Cyber Espionage Threat

aka Star Blizzard, SEABORGIUM, COLDRIVER, Callisto Group


Void Blizzard, also known as "Laundry Bear," is a recently identified Russian-affiliated advanced persistent threat (APT) group. Active since at least April 2024, this group has been conducting cyber espionage operations primarily targeting organizations aligned with NATO and Ukraine. Their activities focus on sectors critical to national infrastructure, including government, defense, healthcare, transportation, media, and non-governmental organizations (NGOs) .



Origins and Attribution


Microsoft Threat Intelligence, in collaboration with the Netherlands' General Intelligence and Security Service (AIVD) and Defence Intelligence and Security Service (MIVD), has been monitoring Void Blizzard's activities. The group is assessed with high confidence to be affiliated with Russian state interests, given its targeting patterns and operational behaviors .

Targeted Sectors and Geographical Focus


Void Blizzard's operations have a global reach but disproportionately affect NATO member states and Ukraine. The group's targeting includes:




  • Government agencies and services




  • Defense industrial base




  • Healthcare




  • Education




  • Information technology




  • Media




  • NGOs




  • Transportation




Notably, in September 2024, Void Blizzard successfully infiltrated the Netherlands' national police force, stealing work-related contact details of police staff .


Tactics, Techniques, and Procedures (TTPs)


Initial Access


Void Blizzard employs a combination of unsophisticated and evolving techniques to gain initial access:




  • Credential Theft: Utilizing stolen sign-in details, often procured from online marketplaces and infostealer malware ecosystems .SC 




  • Password Spraying: Conducting brute-force attacks using common or leaked passwords to compromise accounts .CSO Online+1GBHackers Security+1




  • Spear Phishing: In April 2025, Void Blizzard initiated targeted spear-phishing campaigns. These involved sending emails with malicious PDF attachments containing QR codes that redirected victims to credential phishing pages mimicking Microsoft Entra authentication portals. The group leveraged the open-source Evilginx framework to capture usernames, passwords, and session cookies, enabling them to bypass multi-factor authentication (MFA) .




Post-Compromise Activities


Once inside a network, Void Blizzard engages in extensive data collection and reconnaissance:




  • Cloud Exploitation: Abusing legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate user mailboxes and cloud-hosted files. They often automate the bulk collection of emails and documents accessible to compromised accounts .




  • Microsoft Teams Access: In some cases, the group has accessed Microsoft Teams conversations and messages via the web client application .




  • Directory Enumeration: Utilizing tools like AzureHound to map Microsoft Entra ID configurations, gathering information about users, roles, groups, applications, and devices within the tenant.


Comments
new comment
Nobody has commented yet. Will you be the first?
  




This link is from a restricted area of the forums.
Forum


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.