28.05.2025
2 min
575
Dutch intelligence services have exposed a previously unknown Russian cyber group called “Laundry Bear” that is behind a series of attacks on public and private organizations in the country, including the police. The hackers operated with high speed and efficiency, using automated espionage methods without malware.
Microsoft has been tracking the group under the name “Void Blizzard” and says it has been active since at least 2024, primarily targeting NATO countries and Ukraine. The hackers used simple, hard-to-detect techniques, working with legitimate software already on victims’ devices — a tactic known as “living off the land.”
The investigation began after an incident with the Dutch police in September 2024, when attackers gained access to an employee’s account via a session cookie, likely stolen by malware and resold on a hacking forum.
Amid a large-scale campaign to expose Russian cyberattacks involving Western countries, Laundry Bear was identified as a separate entity from APT28 (Fancy Bear). The group’s attacks target defense ministries, arms suppliers, space and high-tech companies, as well as education and media organizations.
Laundry Bear has shown interest in companies that supply military equipment components, especially those that are difficult for Russia to access due to sanctions. It has also been active against Ukrainian organizations, particularly in the aviation sector. Although the Dutch intelligence service has published the results of its investigation, it admits that it has a limited understanding of the full scope of Laundry Bear’s activities. The purpose of the publication is to inform other potential victims and to help take measures to counter cyber threats from Russia. The threat remains, especially for strategically important NATO infrastructure.
