The Dutch intelligence and security services have identified a new Russia-affiliated threat group named Laundry Bear. This sophisticated cyber adversary has been actively breaching government organizations and commercial entities across Europe and North America. As cybersecurity professionals and organizations grapple with escalating threats, understanding Laundry Bear’s tactics, targets, and methods becomes crucial. Moreover, recognizing how this group operates can help organizations enhance their defenses against similar threats.
What Is Laundry Bear? A Rising Russian Cyber Threat
Laundry Bear, also known by Microsoft as Void Blizzard, represents a high-success-rate Russian threat group that has managed to stay under the radar for quite some time. The Dutch intelligence agencies, AIVD and MIVD, have highlighted that this group’s success stems from rapid, automated cyber operations and the strategic use of readily available tools. Their ability to blend in with normal network traffic and exploit common vulnerabilities makes them particularly dangerous.
Unlike many advanced persistent threats (APTs), Laundry Bear employs simple attack methods combined with automation, enabling them to target a broad array of organizations efficiently. Their goal? To gather sensitive information, especially related to military procurement, weapons deliveries, and technological exports that are critical in the context of Russia’s ongoing conflicts and sanctions.
The Targets: Who Are Laundry Bear’s Victims?
The Dutch agencies have traced the group’s activities to multiple high-value targets. For instance, during the September 2024 breach of the Dutch National Police, Laundry Bear gained access to an officer’s account using a stolen session cookie. From there, they accessed work-related contact information of other police personnel. This breach exemplifies their capability to infiltrate law enforcement agencies and potentially compromise national security.
Beyond law enforcement, Laundry Bear’s targets include defense ministries, foreign affairs departments, NATO and EU military branches, and defense contractors. The group also attacks social, cultural, and non-governmental organizations, along with digital service providers catering to enterprise clients. Aerospace firms and tech companies involved in advanced technology production and delivery—especially those under Western sanctions—are also on their radar.
Of particular concern is their apparent focus on obtaining information related to the production and delivery of military hardware and weapons. By doing so, they aim to gather intelligence on procurement processes, dependencies, and technological capabilities that could benefit Russia or undermine Western interests.
How Does Laundry Bear Conduct Its Attacks?
Laundry Bear’s tactics, techniques, and procedures (TTPs) reveal a carefully orchestrated approach focused on stealth and automation. Their primary objective is to extract confidential emails and files from targeted organizations. They often begin with password spray attacks—using large volumes of common passwords across many accounts—or pass-the-cookie attacks, leveraging stolen session cookies.
The group heavily relies on infostealers to acquire session cookies, which are then sold on the dark web. According to Microsoft, they also employ open-source tools like Evilginx for man-in-the-middle phishing attacks to steal authentication credentials and cookies directly from victims. These methods allow them to bypass traditional security measures and stay hidden.
Once inside, Laundry Bear exploits legitimate cloud APIs, especially those offered by Microsoft’s Exchange Online and Microsoft Graph, to enumerate user mailboxes, shared mailboxes, and cloud-hosted files. They automate the collection of emails and files, often targeting multiple accounts simultaneously. Such automation enables them to gather vast amounts of data while minimizing the risk of detection.
In some instances, they have accessed Microsoft Teams conversations and exploited vulnerabilities in SharePoint environments to steal login credentials and sensitive organizational information. Notably, their focus appears to be on maintaining existing access rather than expanding it, which helps them avoid detection for prolonged periods.
How Can Organizations Detect and Defend Against Laundry Bear?
Both Microsoft and Dutch security agencies have issued recommendations for detecting and mitigating Laundry Bear’s attacks. These include monitoring for suspicious activity in cloud environments, especially unusual access patterns and data exfiltration from email and file-sharing services.
Threat hunting queries provided by Microsoft can help organizations identify signs of compromise related to the group’s known tactics. For example, unusual login behavior, abnormal mailbox access, or large-scale data downloads could indicate their presence.
Furthermore, organizations should enforce strong multi-factor authentication (MFA) across all cloud services, regularly update and patch vulnerabilities in SharePoint and other cloud platforms, and monitor for known indicators of compromise (IOCs). Employees should be trained to recognize phishing attempts and social engineering tactics that facilitate initial access.
Why Is Laundry Bear Particularly Dangerous?
What sets Laundry Bear apart from other threat groups is its ability to operate stealthily, often flying under the radar of network administrators. By leveraging legitimate API access and focusing on existing compromises, they avoid triggering alarms. Their automation and use of common tools make their activities difficult to distinguish from normal user behavior.
Additionally, their focus on sensitive military and technological data highlights the geopolitical implications of their operations. The group’s capacity to target defense sectors and export-controlled technologies underscores the importance of international cybersecurity cooperation.
Looking Ahead: The Future of Russian Cyber Threats
As the conflict in Ukraine persists, so does the likelihood that groups like Laundry Bear will continue evolving their tactics. With their proven success in stealth and automation, they may expand their operations or adapt new techniques to evade detection. Therefore, organizations must remain vigilant, adopting proactive threat hunting and continuous security improvements.
Moreover, governments and private sector entities should collaborate more closely, sharing intelligence and best practices to thwart such sophisticated actors. Building resilience against these threats requires a comprehensive approach, combining technical defenses, employee awareness, and strategic policies.
