A newly identified Russian cyber threat group has quietly infiltrated multiple Western institutions, including the Dutch police, stealing sensitive data linked to NATO and Ukraine defense logistics.
Dutch Intelligence Identifies Russian Hacking Group ‘Laundry Bear’
The Netherlands’ intelligence services, AIVD and MIVD, have confirmed that a previously unknown Russian threat actor, codenamed Laundry Bear (also tracked as Void Blizzard by Microsoft), has breached government and commercial organizations across EU and NATO member states.
Since early 2024, the group has conducted cyber espionage operations targeting:
- Armed forces and defense contractors
- Government ministries
- Digital service providers
- Cultural and diplomatic institutions
“Technical investigation by the Dutch services reveals that LAUNDRY BEAR has successfully gained access to sensitive information from a large number of government organisations,” Dutch intelligence agencies said in a public advisory.
Dutch Police Data Breached via Stolen Credentials
On September 23, 2024, Laundry Bear successfully breached the Dutch police network, obtaining the Global Address List (GAL) containing contact information for all personnel.
According to investigators, the breach stemmed from a stolen authentication token—likely harvested using infostealer malware and traded on dark web marketplaces.
“Using the stolen cookie, the threat actor could then gain access to certain information without having to enter a username and password,” the agencies confirmed.
Email and Cloud Platforms Targeted in Espionage Campaign
Laundry Bear primarily exploits cloud-based email environments like Microsoft Exchange. Once inside a user account, the attackers exfiltrate:
- Emails and contacts
- GAL data
- Documents from cloud storage platforms such as SharePoint
These campaigns have been aimed at extracting intelligence on military procurement, equipment production, and weapons transfers to Ukraine.
Phishing Tactics and Typosquatting Used to Harvest Credentials
The group recently expanded its toolset to include phishing campaigns with typosquatted domains, mimicking secure portals to harvest credentials. One campaign impersonated the European Defense and Security Summit using a PDF attachment with a QR code linking to a fake Microsoft login page: micsrosoftonline[.]com.
Simple Methods, High Impact
Despite using basic techniques like password spraying, token theft, and phishing, Laundry Bear has evaded detection by blending in with legitimate traffic and using “living-off-the-land” (LOTL) methods—leveraging native tools on the victim’s systems rather than deploying custom malware.
“Laundry Bear is capable of stealing email messages from compromised systems at scale,” investigators noted.
These methods are similar to those used by APT28, a known GRU-backed hacking group, but Dutch agencies stress that Laundry Bear is distinct.
Targets Expand Beyond Europe
While primarily focused on NATO countries and EU institutions, Laundry Bear has also carried out attacks in Central and East Asia. Its interests include aerospace firms, defense manufacturers, and high-tech suppliers connected to Russia’s war efforts.
Strategic Implications and Mitigation
Dutch officials emphasize the importance of hardening defenses against Laundry Bear’s techniques. Recommended countermeasures include:
- Enforcing multifactor authentication
- Limiting user privileges
- Auditing login activity
- Monitoring cloud environments
- Managing endpoints centrally
“The information stolen from the GAL may also be used in later attacks, including spearphishing,” the joint advisory warned.
Vice Adm. Peter Reesink of MIVD stated that the group’s main objective is to “obtain information about the purchase and production of military equipment and Western deliveries of weapons to Ukraine.”
Erik Akerboom, head of AIVD, added that the published technical indicators will help enterprise and government networks defend against further infiltration.
