Microsoft, Dutch security agencies lift veil on Laundry Bear cyber espionage group

The Dutch intelligence and security services have identified a new Russia-affiliated threat group that has been breaching government organizations and commercial entities in Europe and North America, and they dubbed it Laundry Bear.

“Compared to some other Russian threat actors under investigation by the services, Laundry Bear has a high success rate,” the Netherlands’ General Intelligence and Security Service (AIVD) and the Defence Intelligence and Security Service (MIVD) shared today.

They attribute the group’s success to quick-paced cyber operations and efficient use of automation.

“Laundry Bear has successfully managed to fly below the radar by employing simple attack methods and attack vectors involving tools which are readily available on victims’ computers and are therefore difficult for organisations to detect and distinguish from other known Russian threat actors,” the two agencies added.

The targets

The agencies pinpointed the group’s existence after investigating the September 2024 breach of the Dutch National Police, during which the group gained access to an account belonging to a Dutch police employee by using a stolen session cookie and, through it, they managed to grab work-related contact information of other police employees.

Laundry Bear also targeted other entities relevant to Russia’s war efforts in Ukraine: defense and foreign affairs ministries, ambassadors, branches of the armed forces and defense contractors in many NATO and EU countries. But also: social, cultural, and non-governmental organizations; digital service providers (to enterprise customers); aerospace firms and tech companies; and organizations in critical sectors.

“Technical investigation of the victims revealed that Laundry Bear highly probably intended to obtain sensitive information relating to the procurement and production of military goods by Western governments, and weapons deliveries to Ukraine from Western countries,” the agencies say.

“The Dutch services have noticed that the group appears to have some degree of knowledge about the production and delivery of military goods and the corresponding dependencies. Furthermore, Laundry Bear has mounted cyber attacks against businesses producing advanced technologies which are difficult for Russia to obtain due to Western sanctions.”

Laundry Bear’s tactics, techniques, and procedures (TTPs)

The main goal of Laundry Bear – or, as Microsoft calls them: Void Blizzard – is to extract sensitive emails and files.

They break into targets’ email and Microsoft accounts by engaging in password spray attacks or pass-the-cookie attacks. For the latter, they leverage web session cookies stolen via infostealers and sold on the dark web, but Microsoft says that they’ve also been using the Evilginx open-source adversary-in-the-middle attack framework and phishing pages to steal authentication credentials and cookies themselves.

“After gaining initial access, Void Blizzard abuses legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate users’ mailboxes, including any shared mailboxes, and cloud-hosted files. Once accounts are successfully compromised, the actor likely automates the bulk collection of cloud-hosted data (primarily email and files) and any mailboxes or file shares that the compromised user can access, which can include mailboxes and folders belonging to other users who have granted other users read permissions,” the company explained.

In few cases, they also accessed Microsoft Teams conversations and leveraged the compromised organization’s Microsoft Entra ID configuration to extract information about the users, roles, groups, applications, and devices belonging to that targeted tenant.

“In some cases, the Dutch services have established that Laundry Bear has stolen data from compromised SharePoint environments, where the group exploits known vulnerabilities to collect login credentials for later operations,” the Dutch security services noted.

“Because Laundry Bear highly probably restricts its actions to existing access to Microsoft accounts without attempting to expand its access to underlying networks or systems, it appears to have flown under the radar of network and system administrators relatively easily and for an extended period.

Both Microsoft and the Dutch agencies have provided recommendations on how to detect and fight off the group’s attacks, and the former also shared threat hunting queries organizations can use. The Dutch police sent out emails to all police officers notifying them of the agencies’ findings.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!