Microsoft collaborated with the Netherlands Normal Intelligence and Safety Service (AIVD) and the Netherlands Defence Intelligence and Safety Service (MIVD), which issued a separate advisory on the group. The Dutch providers investigated Void Blizzard after it efficiently compromised the Dutch police in September 2024.
The group’s targets overlap with different identified Russian state-run cyberespionage teams, together with APT28 aka Fancy Bear, APT29 aka Cozy Bear, and Turla aka Venomous Bear, which Microsoft calls Forest Blizzard, Midnight Blizzard, and Secret Blizzard, respectively. In comparison with these teams, nevertheless, Void Blizzard seems to be utilizing much less refined methods to realize preliminary entry.
Password spraying and infostealer information dumps
Up till final month, Void Blizzard relied totally on password spraying, a way that entails brute-force password guessing assaults utilizing lists of frequent or leaked passwords from different information breaches. The group has additionally been shopping for passwords, in addition to session cookies, from underground cybercriminal markets, notably so-called logs obtained from infostealer malware — a rising risk of late.
