Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack
A new Russia-linked Advanced Persistent Threat (APT) group, tracked as Laundry Bear, has been linked to a high-profile security breach at the Dutch police in September 2024. The Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) have confirmed that this APT group is responsible for the breach, which exposed sensitive contact information of multiple police officers.
The incident occurred on September 26, 2024, when threat actors broke into a police system, gaining access to work-related contact details of officers. The attackers stole names, emails, phone numbers, and some private information belonging to police officers. The Dutch police reported the security breach to the Data Protection Authority, stating that "Last week it became known that a police account was hacked. Work-related contact details of police officers were stolen."
The authorities have identified the attackers, but they haven't publicly attributed the attack to a specific actor. However, according to the government experts, it is very likely that the attack was carried out by a "state actor", meaning another country or perpetrators on behalf of another country.
A new joint advisory published by Dutch intelligence agencies warns organizations of Laundry Bear attacks
The AIVD and MIVD have jointly issued an update, warning Dutch organizations about the presence of Laundry Bear. The government experts state that Laundry Bear has evaded detection by using simple attack methods and built-in tools on victims' systems, making it hard to trace and distinguish from other Russian hackers.
Laundry Bear's targeting strategy
"The AIVD and MIVD (‘the Dutch services’) have identified a publicly unknown, highly probably Russian state-supported threat actor and have named the group LAUNDRY BEAR," reads the joint advisory. "This investigation into the threat actor was initiated because of an opportunistic cyber attack on the Dutch police in September 2024. During this attack the work-related contact information of police employees was obtained by the threat actor."
Since 2024, Laundry Bear has targeted Western governments, armed forces, defense contractors, cultural groups, and digital service providers in cyber operations. The group mainly focuses on EU and NATO countries, targeting entities linked to Russia's war in Ukraine, such as defense ministries, armed forces, diplomats, and defense contractors.
Notable attacks by Laundry Bear
In 2024, Laundry Bear has targeted aerospace firms and high-tech manufacturers, likely to steal sensitive data about weapons production and deliveries to Ukraine. The group has also attacked NGOs, media, political parties, and education institutions. Compared to other Russian threat actors, Laundry Bear has had notable success in its operations.
How Laundry Bear operates
In September 2024, Laundry Bear used a pass-the-cookie attack to access a Dutch police account, likely with a stolen browser cookie bought via a criminal marketplace. This allowed them to steal police contact info from the address list without needing login credentials.
Authorities suspect other Dutch organizations were also targeted, though further data theft hasn't been confirmed. Microsoft tracked the group as Void Blizzard and published a report on the APT that provides details about tools, tactics, and procedures used by the threat actor.
Stay informed about Laundry Bear
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates on this developing story.