Microsoft security researchers have identified a significant shift in the tactics of the Russian hacking group Void Blizzard, also known as Laundry Bear. The group, previously known for purchasing login credentials on the dark web, has begun stealing credentials directly by creating fake Microsoft Entra login pages. These counterfeit pages are distributed through spear phishing emails, targeting small and medium-sized businesses (SMBs) in the West, with a particular focus on organizations in Ukraine and NATO member states.
The Changing Tactics of Void Blizzard
Void Blizzard’s new approach involves creating typosquatted domains to host fake Entra login pages, which are then used in phishing campaigns to trick victims into revealing their login credentials. This marks a significant change from their previous method of buying credentials on the dark web. Once inside their targets’ IT infrastructure, the hackers exfiltrate sensitive data, including emails, files, and business information, and attempt to move laterally within the organization.
Targets and Motivations
The campaign primarily targets organizations in critical sectors such as government, defense, transportation, media, NGOs, and healthcare. Education, telecommunications, and law enforcement agencies have also been targeted in some instances. Microsoft’s analysis suggests that the campaign is part of Russia’s broader war effort against Ukraine, aiming to gather intelligence from critical infrastructure.
Intersection with Other Russian State Actors
Microsoft’s findings indicate that Void Blizzard’s targets often overlap with those of other known Russian state actors, including Forest Blizzard, Midnight Blizzard, and Secret Blizzard. This overlap suggests shared espionage and intelligence collection interests among these groups, pointing to a coordinated Russian strategy to gather intelligence from strategic targets in Ukraine and NATO member states.
Implications for Cybersecurity
The shift in Void Blizzard’s tactics highlights the evolving nature of cyber threats associated with state-sponsored hacking groups. Organizations, particularly those in critical sectors, need to remain vigilant against sophisticated phishing campaigns and ensure robust security measures are in place to protect against credential theft and data exfiltration.
