Microsoft collaborated with the Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD), which issued a separate advisory on the group. The Dutch services investigated Void Blizzard after it successfully compromised the Dutch police in September 2024.
The group’s targets overlap with other known Russian state-run cyberespionage groups, including APT28 aka Fancy Bear, APT29 aka Cozy Bear, and Turla aka Venomous Bear, which Microsoft calls Forest Blizzard, Midnight Blizzard, and Secret Blizzard, respectively. Compared to these groups, however, Void Blizzard appears to be using less sophisticated techniques to gain initial access.
Password spraying and infostealer data dumps
Up until last month, Void Blizzard relied mostly on password spraying, a technique that involves brute-force password guessing attacks using lists of common or leaked passwords from other data breaches. The group has also been buying passwords, as well as session cookies, from underground cybercriminal markets, particularly so-called logs obtained from infostealer malware — a growing threat of late.
