A previously unknown Russian cyber threat actor hacked the Dutch police and several other Western government organizations while remaining under the radar.
Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) have warned the Parliament and the public about a previously unknown Russian hacking group, dubbed Laundry Bear. Microsoft tracks the threat actor as Void Blizzard.
Since 2024, Laundry Bear has conducted various cyber operations against Western government organizations. It’s highly probable that it is a Russian state-supported threat actor.
The hackers are specifically interested in the armed forces, government organisations, defence contractors, social and cultural organisations, and digital service providers.
To date, Laundry Bear has conducted non-destructive cyberattacks, which hints at an espionage motive.
“Technical investigation by the Dutch services reveals that LAUNDRY BEAR has successfully gained access to sensitive information from a large number of government organisations, commercial entities and other organisations around the world, with a specific interest in EU and NATO member states,” the report reads.
These hackers breached the Dutch police on 23rd September 2024, which exposed work-related contact information of all police employees.
“Laundry Bear is after information about the purchase and production of military equipment by Western governments and Western deliveries of weapons to Ukraine,” says Vice Adm. Peter Reesink, director of MIVD.
Erik Akerboom, Director General of the AIVD, hopes that published technical advice on Laundry Bear’s methods will help protect against this form of espionage.
Microsoft has discovered worldwide cloud abuse activity by new Russia-affiliated threat actor Void Blizzard (LAUNDRY BEAR), whose cyberespionage activity targets gov't, defense, transportation, media, NGO, and healthcare in Europe and North America. https://t.co/yVbdaFuqMf
undefined Microsoft Threat Intelligence (@MsftSecIntel) May 27, 2025
How does Laundry Bear operate?
According to Dutch intelligence, Laundry Bear “has successfully managed to fly below the radar by employing simple attack methods and attack vectors involving tools which are readily available on victims’ computers.”
This makes it difficult to detect intrusions and distinguish them from other known Russian threat actors.
The hackers penetrate cloud-based email environments, particularly Exchange servers. Once they gain access to a user account, Laundry Bear rapidly and large-scale steals email messages and contacts, including a Global Address List (GAL).
In some cases, Laundry Bear has also managed to obtain data stored on cloud servers and other files.
“Laundry Bear primarily targets entities that are relevant to Russia's war efforts in Ukraine: NATO member defence ministries, their ambassadors to other organisations, branches of the armed forces, and defence contractors,” the joint advisory reads.
”Laundry Bear also attacks foreign affairs ministries and EU institutions.”
However, some attacks have also been identified in East and Central Asia.
The targets include defence contractors, aerospace firms, and other high-tech military production businesses. Laundry Bear aimed to obtain sensitive information relating to the procurement and production of military goods and weapons deliveries to Ukraine.
To hack the Dutch police, the hackers gained access to an account belonging to an employee and then succeeded in stealing the work-related contact information of police employees through the GAL. Hackers abused an access token, which was likely stolen with infostealer malware and sold on a criminal marketplace by a third party.
“Using the stolen cookie, the threat actor could then gain access to certain information without having to enter a username and password,” the agencies explain.
Microsoft has also detected that the threat actor has recently begun using typosquatted domains to spoof authentication portals in phishing campaigns. The hackers posed as organizers from the European Defense and Security Summit, sending fake emails with a PDF attachment containing a malicious QR code that redirected targets to a credential phishing page micsrosoftonline[.]com.
Laundry Bear performed many attacks in a short time span, which suggests that the hackers use “some level of automation.” Despite relatively simple techniques, Laundry Bear achieves a high success rate.
The Russian threat actor hasn’t developed its own custom malware and rather relies on the “living-off-the-land” (LOTL) technique, a tactic of using existing systems and tools on victims’ computers or networks.
Laundry Bear primarily gains access through stolen authentication tokens or cookies, password spraying, and phishing.
To evade detection, the hackers limit the number of login attempts for a certain account and spread them over time. They abuse compromised passwords published online.
“Laundry Bear is capable of stealing email messages from compromised systems at scale. In some cases, the Dutch services have established that Laundry Bear has stolen data from compromised SharePoint environments, where the group exploits known vulnerabilities to collect login credentials for later operations.”
The investigators found similarities in techniques used by APT28, another Russian state-sponsored threat actor associated with the Russian military intelligence service, GRU. However, these are two distinct hacking groups.
Dutch intelligence agencies warn that Laundry Bear will add more complex vectors and tools to their arsenal going forward.
“The information stolen from the GAL may also be used in later attacks, including spearphishing,” the advisory reads.
The document recommends enforcing multifactor authentication, limiting user privileges, auditing accounts, managing devices centrally, and monitoring for unusual network and login activity, among other mitigating measures.
Your email address will not be published. Required fields are markedmarked