A new Russian threat actor, Void Blizzard, also known as Laundry Bear, is gathering intelligence from Western states on an industrial scale unseen since the end of the Cold War. According to Microsoft Threat Intelligence, Void Blizzard primarily targets NATO member states, particularly those supporting Ukraine, and Ukraine.
“While Void Blizzard has a global reach, their cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives,” reports Microsoft.
Many of the compromised organizations overlap with cyber-espionage carried out by other well-known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard. This appears to suggest that the intelligence gathering is being orchestrated by the Russian state as a key part of its renewed animosity to the West, following a historically unusual period of openness and co-operation.
This is borne out by the fact that organizations being targeted by Void Blizzard generally operate in sectors vital to security, such as the US defense industrial base, government agencies, and education. But other targeted industries point to a more sinister long-term agenda. These include transportation, the media, and healthcare – all key targets in the event of a full-scale cyber-war or even a physical conflict.
Void Blizzard’s modus operandi is not particularly innovative, as it largely employs tried and tested methods of data theft in order to conduct its operations on a widespread scale. This mainly involves the use of stolen credentials, frequently purchased in bulk from the Darknet. But Microsoft, which has been cataloguing Void Blizzard’s espionage activities since at least 2025, has also recently observed Void Blizzard accessing Microsoft Teams conversations when key individuals in target organizations are conducting what they assume to be private closed video meetings and messaging via the Microsoft Teams web client application.
Highly targeted cyber-espionage operations
According to Microsoft Threat Intelligence: “Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.”
To defend themselves against data theft and to safeguard their country’s security Microsoft recommends that organizations, particularly those in the targeted sectors, ensure that they have standard security measures such as multi-factor authentication (MFA) in place and mailbox auditing firmly in place. Organizations should also remove any malware still residing on any accounts that have been compromised.
“Given the widespread use of infostealers in attacks, organizations should immediately respond to infostealer activity and mitigate the risk of credential theft to prevent follow-on malicious activity,” warns Microsoft.
