Microsoft Threat Intelligence has surfaced a new Russia-affiliated cyber actor: Void Blizzard, also tracked as LAUNDRY BEAR. Active since at least April 2024, this group is focused on long-term espionage targeting sectors critical to Western governments, infrastructure, and policy-making.
Void Blizzard is not just another APT clone or cluster moniker. It represents an evolution in operational flexibility and tradecraft, shifting from relying on stolen credentials bought off the dark web to more aggressive adversary-in-the-middle (AitM) phishing campaigns. These newer efforts leverage typosquatted domains mimicking Microsoft Entra portals to harvest authentication tokens and compromise enterprise identities.
Target Profile
Void Blizzard’s campaign focus aligns closely with Russian state priorities. It has gone after targets in:
- Defense and government agencies
- Transportation and healthcare infrastructure
- NGOs, education institutions, and intergovernmental organizations
- Media and IT service providers
While some activity overlaps with known Russian actors like APT29, Void Blizzard appears to operate as a distinct cell, coordinating within a larger ecosystem of state-sponsored espionage.
Notable Tactics
- Credential-based access remains a preferred entry point, but the shift to AitM phishing is a signal of increasing confidence and offensive posture.
- Microsoft Entra impersonation suggests a deliberate focus on trusted identity systems, highlighting how fragile authentication flows can be under targeted pressure.
- Operational consistency across NATO states and Ukraine further indicates strategic alignment with geopolitical goals, not just opportunistic targeting.
Analyst Comments
If you’re in defense, energy, public health, or civil society work, Void Blizzard’s tradecraft should raise alarm bells. Organizations should be:
- Auditing Entra ID and authentication logs for anomalies tied to session replay or suspicious SSO activity
- Deploying phishing-resistant MFA such as FIDO2 keys
- Training users to identify lookalike URLs and domain spoofing, particularly in password reset or login prompts
- Tracking overlaps with other Russian campaigns, especially Star Blizzard and Midnight Blizzard, to catch infrastructure reuse or strategic convergence
Final Thoughts
Void Blizzard is not flashy, but it is serious. It demonstrates how Russia continues to evolve its cyber espionage toolkit beneath the noise of more destructive attacks. In an era of hybrid conflict, groups like Void Blizzard are the quiet operatives laying groundwork for geopolitical advantage. They definitely won’t be the last.
See Microsoft’s full report: https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
The Security Brief 