Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
‘Laundry Bear’ Has Been Active Since 2024
Dutch intelligence agencies and Microsoft say a novel Russian state intelligence hacking group is likely buying stolen credentials from criminal marketplaces to gain entry to North American and European networks.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
In coordinated disclosure Tuesday, the Dutch government and the computing giant said this cluster of government-linked hackers has been active since 2024 and has “a specific interest in European Union and NATO member states.” Dutch agencies said the group – which they dub “Laundry Bear” – shares tactics with Unit 26165 of the Russian Main Intelligence Directorate, commonly tracked as APT28. “Nevertheless, Laundry Bear and APT28 are two distinct threat actors.”
Microsoft, tracks the group as “Void Blizzard,” and says it shows overlap in targeting with other Russian intelligence hacking operations. “This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors.”
Authorities became aware of the new cyberespionage unit after a successful September 2024 pass-the-cookie attack against a police agency, with Dutch intelligence assessing that Russian hackers likely bought the login cookie from an infostealer’s offering on a criminal marketplace. Hackers copied the agency’s global address list containing police department employee contact information.
Infostealers traditionally have been the tool of online fraudsters and cryptothieves, but that line is often blurred in Russia, which uses its robust criminal underground as a source of personnel and data – and even as an operational auxiliary (see: Warning: Cybercrime Services Underpin National Security Risk).
An international law enforcement operation earlier this month took down infrastructure used by operators of the Lumma infostealer, which first appeared for sale on Russian-language cybercriminal forums in 2022. Another operation disrupted the DanaBot, malware sold as two variants: one for cybercrime and one for espionage, with data stolen by the espionage variant kept on servers inside Russia (see: US Takes Down DanaBot Malware, Indicts Developers).
Laundry Bear looks for information “relating to the procurement and production of military goods by Western governments, and weapons deliveries to Ukraine from Western countries,” the Dutch agencies said. Only days earlier, a slew of Western cybersecurity agencies warned Wednesday that Russian intelligence is targeting logistics and technology companies in a bid to track military aid delivered to Ukraine.
Stolen authentication credentials and password spraying make up the bulk of Laundry Bear’s operations, but Microsoft said it’s seen the group branch into adversary-in-the-middle attacks. Cyber defenders spotted in April a phishing campaign directed against 20 non-governmental organizations directing victims to a typosquatted domain that spoofed Microsoft Entra authentication.
The phishing bait was an invitation to a fake “European Defense & Security Summit.” Victims who scanned a QR code in the invitation were passed on to micsrosoftonline.com, a credential phishing page mimicking an Entra authentication site.
Post-exploit activity includes using cloud APIs to enumerate user mailboxes and cloud-hosted files. In a few instances, Laundry Bear actors also accessed Microsoft Teams or deployed the AzureHound hacking tool to gain information about users, roles, groups, applications, and devices belonging to the compromised account.