Dutch intelligence agencies and Microsoft report that a novel Russian state intelligence hacking group is likely purchasing stolen credentials from criminal marketplaces to gain entry to North American and European networks. In coordinated disclosure recently, the Dutch government and Microsoft stated this group of government-linked hackers has been active since 2024 and has "a specific interest in European Union and NATO member states." Dutch agencies said the group, which they named "Laundry Bear," shares tactics with Unit 26165 of the Russian Main Intelligence Directorate, commonly tracked as APT28. "Nevertheless, Laundry Bear and APT28 are two distinct threat actors."
Microsoft tracks the group as "Void Blizzard" and notes that it exhibits overlap in targeting with other Russian intelligence hacking operations. "This intersection suggests shared espionage and intelligence collection interests assigned to the parent organizations of these threat actors."
Authorities became aware of the new cyberespionage unit after a successful September 2024 pass-the-cookie attack against a police agency, with Dutch intelligence assessing that Russian hackers likely bought the login cookie from an infostealer's offering on a criminal marketplace. Hackers copied the agency's global address list, which contained police department employee contact information.
Online fraudsters and cryptocurrency thieves have traditionally used infostealers. Still, this line is often blurred in Russia, which utilizes its robust criminal underground as a source of personnel and data, and even as an operational auxiliary.
An international law enforcement operation conducted earlier this month dismantled the infrastructure used by operators of the Lumma infostealer, which first appeared for sale on Russian-language cybercriminal forums in 2022. Another operation disrupted the DanaBot, a malware sold in two variants: one for cybercrime and one for espionage. The espionage variant stole data, which was kept on servers located inside Russia.
See: https://redskyalliance.org/xindustry/lumma-stealer
Laundry Bear seeks information "relating to the procurement and production of military goods by Western governments, and weapons deliveries to Ukraine from Western countries," the Dutch agencies stated. Only days earlier, Western cybersecurity agencies warned that Russian intelligence is targeting logistics and technology companies in a bid to track military aid delivered to Ukraine.
Stolen authentication credentials and password spraying comprise the bulk of Laundry Bear's operations, but Microsoft has reported that the group has also branched into Adversary-in-the-Middle attacks. Cyber defenders identified in April a phishing campaign targeting 20 non-governmental organizations, directing victims to a typo-squatted domain that spoofed Microsoft Entra authentication.
The phishing bait was an invitation to a fake "European Defense & Security Summit." Victims who scanned a QR code in the invitation were redirected to microsoftonline.com, a credential phishing page that mimics an Entra authentication site. Post-exploit activity includes using cloud APIs to enumerate user mailboxes and cloud-hosted files. In a few instances, Laundry Bear actors also accessed Microsoft Teams or deployed the AzureHound hacking tool to gather information about users, roles, groups, applications, and devices associated with the compromised account.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments