Hoplon InfoSec
28 May, 2025
Are you aware about the Russian Hackers? A sweeping investigation released in May 2025 by Microsoft and Dutch intelligence agencies (AIVD and MIVD) has revealed a surge in Russian state-backed cyber-espionage activities across Europe, North America, and NATO-aligned states. These multifaceted offensive weaves together decades-old tradecraft with modern cloud abuse, stolen credentials, and increasingly professionalized tactics.
At the heart of these revelations are two interconnected storylines: the quiet, persistent data theft campaigns of Void Blizzard (also tracked as Laundry Bear) and the raucous, propaganda-fueled return of Killnet, now rebranded as a hybrid hacktivist-mercenary collective.
Void Blizzard/Laundry Bear represents a new chapter in Russian cyber warfare—an actor that fuses low-sophistication entry points with advanced cloud-native exploitation.
Dutch intelligence assessments conclude that Laundry Bear’s operations are laser-focused on:
Void Blizzard does not rely on custom-developed implants or zero-day exploits. Instead, they leverage the massive underground market of infostealer logs. These logs often sold for as little as $10are sourced from low-level malware families (like RedLine, Raccoon Stealer, Vidar, and Lumma) and contain:
This approach illustrates a blurring of boundaries between state-backed espionage and financially driven cybercrime ecosystems. Russian APTs increasingly depend on this commoditized cybercrime infrastructure to launch state-directed campaigns.
Once initial access is secured often through password spraying or credential stuffing; Void Blizzard uses legitimate tools and APIs to conduct deep reconnaissance and data theft:
This living-off-the-land approach minimizes the need for malicious binaries or implants; a key to stealthy, long-term espionage.
Void Blizzard has evolved beyond simple credential phishing to deploy AitM phishing using the Evilginx framework (publicly available since 2017). Evilginx acts as a transparent proxy between the victim and legitimate login portals, enabling:
Recent campaigns included highly targeted spear-phishing lures themed as invitations to European defense summits sent with malicious QR codes that redirected to typo-squatted domains.
The Dutch Police breach (September 2024) offers a telling example of Void Blizzard’s precision:
Similarly, Laundry Bear’s campaigns against Ukrainian aviation and transport agencies mirror Russia’s historical focus on airpower intelligence, dating back to Cold War-era targeting of NATO’s air and missile defense networks.
Void Blizzard’s activities overlap significantly with targets of APT28 (Fancy Bear) and APT29 (Cozy Bear), suggesting a coordinated intelligence mandate:
The coincidence of targets—including defense ministries, arms suppliers, and military-industrial infrastructure—reflects Russia’s broader doctrine of integrated hybrid warfare: using cyber operations as force multipliers for traditional military and diplomatic objectives.
In contrast to the stealthy approach of Void Blizzard, Killnet has historically operated as a noisy, pro-Kremlin hacktivist collective focusing on defacement, DDoS, and propaganda.
Under new leadership, Killnet has:
Analysts like Rik Ferguson of Forescout argue that Killnet’s behavior mirrors broader trends in both state-linked and independent cyber groups:
“Rebranding, splintering, and reactivating older identities whenever needed—it’s a hallmark of the Russian underground, allowing them to maintain plausible deniability and adapt to new demands.”
The juxtaposition of Void Blizzard’s surgical data exfiltration and Killnet’s propaganda-laden operations illustrates Russia’s layered approach to cyber warfare:
The combined impact of these campaigns underscores the need for:
The revelations around Void Blizzard and Killnet underscore that Russian cyber operations are not monolithic but rather a complex web of state-backed intelligence units, cloud-centric espionage campaigns, and mercenary-like operators exploiting commercial crime tools.
For Western governments and corporations, these findings highlight an urgent truth: the frontlines of modern geopolitical conflict increasingly run through cloud platforms, stolen cookies, and stolen credentials—and defending them requires not only technical hardening but also global collaboration, shared intelligence, and vigilance against the ever-evolving Russian cyber offensive
Share this :