A newly-discovered Russia-sponsored cyber-espionage unit known as Void Blizzard has been observed operationally targeting key sectors in NATO countries and Ukraine, according to a new report on April 2024.
This threat actor was identified by Microsoft Threat Intelligence, and we have high confidence in the assessment that they are closely linked to the Russian government’s objectives.
The main targets of Void Blizzard are organizations critical to these goals; they include government, defense, transportation, media, NGOs and healthcare, with particular emphasis on institutions in Europe and North America.
The group’s activities suggest a very specific interest in intelligence of use to Russia and in support of Russia’s geopolitical interests, in particular in the case of the situation in Ukraine.
In the early days, the tactics used by Void Blizard to initiate an initial breach were fairly simplistic, including using stolen sign-in credentials possibly purchased from online crime shops, password spray attacks and others.
After compromising networks, the adversaries have also been seen exfiltrating massive volumes of emails and files. They have accessed Microsoft Teams conversations via the web client only in a very small number of cases.
Yet recent reports have suggested a shift in strategy for Void Blizzard. In April 2025, Microsoft identified an AitM spear-phishing operation against 20+ NGOs in Europe and the United States.
This campaign delivered a typosquatted domain impersonating the Microsoft Entra authentication portal. The attackers sent emails that were disguised as communication from the organizers of the European Defense and Security Summit, and included fake summit invitations as PDF attachments.
These attachments contained malicious QR codes that sent the victims to infrastructure controlled by the Void Blizzard, where the attackers hosted a credential phishing page. This pivot to more targeted fishing implies a heightened threat to organizations in key industries.
Incidentally several of the organizations hit by Void Blizzard – for example the Science Museum Group, the Met and Kew Gardens – have also been targeted by other Russia state-sponsored actors including Forest Blizzard, Midnight Blizzard and Secret Blizzard, illustrating the depth and breadth of Russian intelligence interest in these organizations.
In October 2024, Void Blizzard had managed to hack into user accounts at a Ukrainian aviation company already targeted by Seashell Blizzard, which has been attributed to the GRU, in that one year, 2022, confirming that Russia’s aviation intelligence targeting is long-term strategic.
The Dutch intelligence and security services simultaneously stated that Void Blizzard were responsible for the hacks of a number of Dutch organisations the theft of a list of work-related contact information from the police. This intelligence sharing has been critical in understanding how Void Blizzard operates.
NATO countries, Ukraine and organizations are warned to remain wary of potential phishing campaigns and increase cybersecurity measures. Strong multi-factor authentication, keeping systems up-to-date, and educating staff on how to spot suspicious email, are so important in reducing the exposure to this ever-industrious threat actor.
The ongoing operations of Void Blizzard highlight the enduring cyber espionage threat from Russia, which is targeted at damaging the security and stability of its adversaries and gathering significant intelligence to support its strategic priorities.
