The mysterious cyber espionage group, code-named “Laundry Bear” by Dutch intelligence and “Void Blizzard” by Microsoft, had been systematically infiltrating western technology companies and organisations supporting Ukraine since April 2024.
This was disclosed in a joint advisory authored by the Dutch intelligence services (AIVD and MIVD), along with a report from Microsoft Threat Intelligence issued yesterday.
The main purpose of Laundry Bear seems to be espionage, the acquisition of sensitive information, such as that regarding military assistance for Ukraine and high technology, which Russia desires.
The group is “very likely Russian state supported” and is particularly interested in information on the purchase and production of military equipment by Western countries and the specifics of weapon deliveries to Ukraine, the Dutch intelligence agencies said.
In a major hack last September, Laundry Bear managed to infiltrate an account associated with the Dutch police and accessed the work contact information of every Dutch police officer. This second incident demonstrates the group’s competence and the possible extent of their activities.
Microsoft’s telemetry shows that Void Blizzard has repeatedly targeted government bodies and police forces, notably in NATO nations that are known to offer military or humanitarian aid to Ukraine. The group has also gone after a variety of sectors, including telecommunications, defense industrial base, healthcare, education, IT, transportation, media, and nongovernmental organizations in Europe and North America.
In particular, the group accessed multiple users’ accounts at a Ukrainian aviation organization in October 2024, which is a different organization but within the same sector that had been previously targeted by another Russian-linked group, indicating continued interest in this area.
Its methodology involves a number of tactics,including the use of pilfered credentials obtained from “commodity infostealer ecosystems.” When the group gains access to a targeted system, it has a history of raiding massive numbers of emails and files. More recently, in April 2025, Microsoft has seen Void Blizzard scale its techniques to focused spear-phishing that would lead to credential theft.
One such campaign saw attackers impersonate the organizers of the European Defense and Security Summit by sending malicious PDF attachments with QR codes which directed the recipient to a fake Microsoft login page where they were tricked into giving their credentials to the attackers.
Dutch intelligence agencies have detected similarities between Laundry Bear’s methods and those used by another G.R.U.-linked group, APT28, also known as Fancy Bear. Since 2022 Fancy Bear has also actively targeted Western logistics providers, technology firms, and government institutions funding Ukraine.
Just last week, an advisory from 21 government agencies in the US, UK, Canada, and Europe warned of an active Fancy Bear campaign against Ukrainian email servers and internet-connected cameras at border crossings used to track aid shipments.
This recent and expanding exposure underscores ongoing efforts as well as shifting tactics of Kremlin-linked actors to undermine support for Ukraine and gather strategic intelligence to use against NATO counties and major technology firms.
Security organizations are encouraging companies with business interests in these sectors to further defend their infrastructure, increase vigilance of suspicious activity and carry out necessary security protocols to minimize the risk of such advanced cyber espionage campaigns.
