Threat Insight
New Russian Cyber Espionage Group
The Netherlands security service and Microsoft security team has together revealed a new Russian cyber espionage actor known as Void Blizzard or Laundry Bear. Void Blizzard has been active since at least April 2024.
While Void Blizzard has a global reach, their cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives. In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general.
Void Blizzard regularly targets government organizations and law enforcement agencies, particularly in NATO member states and especially in countries that provide direct military or humanitarian support to Ukraine. Within Ukraine, Void Blizzard has successfully compromised organizations in multiple sectors, including education, transportation, and defense.
In October 2024, Void Blizzard compromised several user accounts at a Ukrainian aviation organization that had been previously targeted by Russian General Staff Main Intelligence Directorate (GRU) actor Seashell Blizzard in 2022.
Their operations predominately leverage unsophisticated techniques for initial access such as password spray and using stolen authentication credentials. Microsoft assesses that Void Blizzard procures cookies and other credentials through criminal ecosystems. These credentials appear to primarily be used to steal email from victims, although Void blizzard sometimes also collect data from SharePoint Online.
Assessment
Even though Void Blizzard has reportedly been successful, it appears to be a relatively immature cyber espionage group using mostly basic hacking techniques.
The overlap in targets between the GRU cyber espionage group Forest Blizzard and Void Blizzard suggests that this new group could also be part of GRU. Other GRU threat actors have been observed buying credentials from cybercriminal ecosystems too.[3]
One possibility is therefore that Void Blizzard may represent a new GRU cyber espionage unit, possibly established outside Moscow, where most GRU cyber units are located, to widen recruitment.
Another possibility is that Void Blizzard represents an attempt to create a private cyber espionage unit, by some actor close to President Putin’s inner circle. This could also explain the links to the cybercriminal ecosystem.
The relative success of Void Blizzard also highlights that improved cybersecurity still often involves relatively basic measures, such as enforcing MFA on all incoming connections.
References
[1] https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
[2] https://www.defensie.nl/actueel/nieuws/2025/05/27/onbekende-russische-groep-achter-hacks-nederlandse-doelen
[3] https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html