New Russian State Hacking Group Hits Europe and North America

A newly discovered Russian state hacking group is targeting government and critical sectors across Europe and North America, Microsoft has warned.

The group, which Microsoft tracks as Void Blizzard, has been primarily targeting organizations in NATO member states and Ukraine since mid-2024.

The group has achieved many successful compromises, according to the tech giant.

This includes compromising several user accounts at a Ukrainian aviation organization in October 2024. This organization had been previously targeted by Russian General Staff Main Intelligence Directorate (GRU) actor Seashell Blizzard in 2022.

Void Blizzard typically collects a high volume of emails and files from compromised organizations.

It is assessed with high confidence to be Russia-affiliated, with the threat actor likely collecting intelligence to help support the Kremlin’s strategic objectives.

The primary industries targeted include telecoms, defense industrial base, healthcare, government agencies, non-governmental organizations (NGOs), media, law enforcement and transportation.

Evolving Initial Access Techniques

Microsoft noted that Void Blizzard’s tactics, techniques and procedures (TTPs) are not particularly unique compared to other APT groups. However, its initial access approaches have evolved recently.

Initially, the group predominantly focused on unsophisticated techniques aiming to compromise credentials. These include password spray attacks and procuring credentials through criminal ecosystems.

In April 2025, Void Blizzard was observed launching an adversary-in-the-middle (AitM) spear phishing campaign that targeted over 20 NGO sector organizations in Europe and the US.

This campaign involved spoofing the Microsoft Entra authentication portal using a typosquatting domain.

The threat actor posed as an organizer from the European Defense and Security Summit, aiming to lure targets to open a PDF attachment purporting to be an invitation to the Summit.

The attachment contained a malicious QR code that redirected to Void Blizzard infrastructure micsrosoftonline[.]com, which hosts a credential phishing page spoofing the Microsoft Entra authentication page.

It is believed that the group is using the campaign to steal authentication data, including the input username and password and any cookies generated by the server.

“This new tactic suggests that Void Blizzard is augmenting their opportunistic but focused access operations with a more targeted approach, increasing the risk for organizations in critical sectors,” Microsoft warned.

Post compromise, the threat actor abuses legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate users’ mailboxes, including any shared mailboxes, and cloud-hosted files.

It likely automates the bulk collection of cloud-hosted data and any mailboxes or file shares that the compromised user can access.

In a small number of cases, Void Blizzard has accessed Microsoft Teams conversations and messages via the Microsoft Teams web client application.

Void Blizzard Breaches Dutch Police Data

Concurrently with Microsoft’s investigation, the Netherlands’ intelligence and security services revealed that Void Blizzard has been behind hacks on several Dutch organizations. This includes stealing “work-related contact details” from the police.

Affected Dutch organizations have been informed and have taken measures to mitigate the attacks.

The Dutch intelligence and security services track the group as Laundry Bear.

They noted that the threat actor has a particular interest in carrying out espionage attacks against Western companies that produce high-end technologies.

Dutch Military Intelligence and Security Service director, Vice Admiral Peter Reesink, commented: “We have seen that this hacker group successfully gains access to sensitive information from a large number of (government) organizations and companies worldwide. They have a specific interest in countries of the European Union and NATO. Laundry Bear is looking for information about the purchase and production of military equipment by Western governments and Western supplies of weapons to Ukraine.”