New Russian State Hacking Group Hits Europe and North America
A newly discovered Russian state hacking group, tracked by Microsoft as Void Blizzard, has been targeting government and critical sectors across Europe and North America, raising concerns about the escalating threat landscape. The group's activities have been primarily focused on organizations in NATO member states and Ukraine since mid-2024, with significant success in compromising user accounts and accessing sensitive information.
The breach of a Ukrainian aviation organization in October 2024 is just one example of Void Blizzard's capabilities. This organization had previously been targeted by Russian General Staff Main Intelligence Directorate (GRU) actor Seashell Blizzard in 2022. The group has achieved numerous other successful compromises, including accessing cloud-hosted data and Microsoft Teams conversations.
The Threat Actor's Tactics and Targets
Void Blizzard typically collects a high volume of emails and files from compromised organizations. It is assessed with high confidence to be Russia-affiliated, with the threat actor likely collecting intelligence to help support the Kremlin's strategic objectives. The primary industries targeted by Void Blizzard include telecoms, defense industrial base, healthcare, government agencies, non-governmental organizations (NGOs), media, law enforcement and transportation.
Microsoft noted that Void Blizzard's tactics, techniques, and procedures (TTPs) are not particularly unique compared to other Advanced Persistent Threat (APT) groups. However, its initial access approaches have evolved recently, with the group shifting from unsophisticated techniques such as password spray attacks to more targeted campaigns like adversary-in-the-middle (AitM) spear phishing.
The Adversary-In-The-Middle Spear Phishing Campaign
In April 2025, Void Blizzard was observed launching an AitM spear phishing campaign that targeted over 20 NGO sector organizations in Europe and the US. The campaign involved spoofing the Microsoft Entra authentication portal using a typosquatting domain, posing as an organizer from the European Defense and Security Summit to lure targets to open a PDF attachment purporting to be an invitation to the Summit.
The attachment contained a malicious QR code that redirected to Void Blizzard's infrastructure, hosting a credential phishing page spoofing the Microsoft Entra authentication page. The threat actor is believed to be using this campaign to steal authentication data, including the input username and password and any cookies generated by the server.
Risks for Organizations in Critical Sectors
"This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors," Microsoft warned. The threat actor's use of legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate users' mailboxes and cloud-hosted files poses a significant risk to organizations.
Global Reach and Impact
In addition to its European targets, Void Blizzard has also been detected in North America. The group's activities have also had a broader impact, with the Dutch intelligence and security services tracking the group as Laundry Bear. They noted that the threat actor has a particular interest in carrying out espionage attacks against Western companies that produce high-end technologies.
Laundry Bear is looking for information about the purchase and production of military equipment by Western governments and Western supplies of weapons to Ukraine. The Dutch Military Intelligence and Security Service director, Vice Admiral Peter Reesink, stated: "We have seen that this hacker group successfully gains access to sensitive information from a large number of (government) organizations and companies worldwide."
The revelations highlight the growing threat landscape and the need for organizations to prioritize cybersecurity measures. As the threat actor's tactics evolve, it is essential for organizations to stay vigilant and adapt their defenses to mitigate the risks posed by Void Blizzard.