A previously unidentified Russian government-backed hacking group, Void Blizzard (Laundry Bear), successfully breached a Ukrainian aviation organization in October. The attack was part of a broader cyberespionage campaign targeting NATO member states, Ukraine, and critical infrastructure sectors (defense, transportation, healthcare, and government). The hackers exploited stolen credentials and legitimate cloud APIs to exfiltrate sensitive data, including emails and potentially classified information related to military logistics, supply chains, and weapons procurement for Ukraine. The group employed living-off-the-land techniques, blending into normal system activity to avoid detection while accessing mailboxes, Teams messages, and shared folders. Given the organization’s role in aviation—a sector vital for military and humanitarian operations—the breach risks compromising operational security, flight logistics, or intelligence shared with Western allies. While the exact data stolen remains undisclosed, the attack aligns with Russia’s strategic goal of disrupting Ukraine’s defense capabilities and supply networks. The use of spear-phishing and credential theft suggests a prolonged, targeted intrusion with potential long-term reconnaissance implications for Ukraine’s aviation and broader defense infrastructure.
TPRM report: https://www.rankiteo.com/company/ukrainain-state-air-traffic-services-enterprise
"id": "ukr5320853112725",
"linkid": "ukrainain-state-air-traffic-services-enterprise",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'law enforcement',
'location': 'Netherlands',
'name': 'Dutch National Police',
'type': 'government agency'},
{'industry': 'aviation',
'location': 'Ukraine',
'name': 'Unnamed Ukrainian Aviation Organization',
'type': 'government/private entity'},
{'industry': ['defense',
'aerospace',
'military equipment manufacturing'],
'location': ['Europe', 'North America'],
'name': 'Unnamed Defense Contractors & Aerospace '
'Companies',
'type': 'private sector'},
{'industry': ['government',
'healthcare',
'education',
'media',
'nonprofit',
'transportation'],
'location': ['Europe', 'North America'],
'name': 'Organizations in Government, Healthcare, '
'Education, Media, Nonprofit, Transportation '
'Sectors',
'type': ['government', 'private sector', 'nonprofit']}],
'attack_vector': ['stolen credentials',
'spear-phishing (unique crafted messages)',
'abuse of legitimate cloud APIs',
'living-off-the-land techniques',
'automated bulk-email collection'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['emails',
'contact lists',
'chat logs',
'meeting records',
'procurement documents'],
'personally_identifiable_information': ['employee '
'names/contact '
'details (Dutch '
'national police)'],
'sensitivity_of_data': ['high (government/military '
'intelligence)',
'moderate (employee contact details)'],
'type_of_data_compromised': ['employee contact information',
'email correspondence (including '
'shared mailboxes)',
'Teams chat messages and '
'meetings (limited cases)',
'military procurement/production '
'intelligence',
'supply chain data for weapons '
'manufacturing']},
'date_publicly_disclosed': '2023-10-24',
'description': 'A previously unknown Russian government-backed hacker group, '
'identified as Void Blizzard (Microsoft) or Laundry Bear '
'(Dutch intelligence), has been conducting highly targeted '
'cyberespionage operations against critical infrastructure '
'organizations in Europe and North America. The group focuses '
'on collecting intelligence for Moscow, particularly targeting '
'NATO member states and Ukraine. Tactics include stolen '
'credentials, automated bulk-email collection from cloud '
'services, and living-off-the-land techniques. Key sectors '
'affected include government, defense, transportation, media, '
'NGOs, healthcare, aerospace, and education. The group has '
'breached Dutch government agencies (including the national '
'police), defense contractors, and a Ukrainian aviation '
'organization, exfiltrating sensitive data such as employee '
'contact information, military procurement details, and supply '
'chain dependencies for weapons production.',
'impact': {'brand_reputation_impact': ['erosion of trust in affected '
'government agencies (e.g., Dutch '
'national police)',
'reputational damage to breached '
'defense contractors/aerospace firms'],
'data_compromised': ['employee contact information (Dutch national '
'police)',
'military procurement and production details',
'supply chain dependencies for weapons '
'manufacturing',
'Teams chat messages and meetings (limited '
'cases)',
'email data from compromised mailboxes '
'(including shared folders)'],
'identity_theft_risk': ['potential misuse of stolen employee '
'contact information'],
'operational_impact': ['potential disruption to Ukrainian military '
'supply chains',
'compromised intelligence on NATO and '
'Western government activities',
'risk of further exploitation of stolen '
'credentials/data'],
'systems_affected': ['cloud email services (e.g., Microsoft 365)',
'Teams collaboration platform',
'government agency networks (Dutch national '
'police)',
'defense contractor and aerospace company '
'systems']},
'initial_access_broker': {'entry_point': ['stolen credentials',
'spear-phishing emails'],
'high_value_targets': ["NATO member states' "
'government/defense agencies',
'Ukrainian military supply '
'chain entities',
'companies producing '
'sanctioned technologies']},
'investigation_status': 'ongoing (active threat as of disclosure)',
'lessons_learned': ['Russian cyberespionage actors rely on simple but '
'effective tactics (e.g., stolen credentials, '
'living-off-the-land).',
'Criminal ecosystem accesses are leveraged by '
'state-backed groups for intelligence gathering.',
'Cloud services (e.g., email, Teams) are prime targets '
'for data exfiltration via legitimate APIs.',
'Supply chain intelligence is a critical focus for '
'disrupting military logistics (e.g., weapons to '
'Ukraine).',
'Basic cybersecurity hygiene (MFA, least privilege, '
'logging) can mitigate such threats.'],
'motivation': ['intelligence gathering for the Russian government',
'disrupting Ukrainian military supply logistics',
'obtaining sensitive information on NATO member states',
'circumventing international sanctions by targeting restricted '
'technologies',
"supporting Russia's war efforts in Ukraine"],
'post_incident_analysis': {'corrective_actions': ['Mandate MFA across all '
'systems, especially cloud '
'services.',
'Audit and restrict '
'mailbox/folder sharing '
'permissions.',
'Deploy behavioral '
'analytics to detect API '
'abuse.',
'Enhance threat '
'intelligence sharing with '
'allies (e.g., NATO).',
'Conduct regular red team '
'exercises to test defenses '
'against credential theft.'],
'root_causes': ['Inadequate authentication '
'mechanisms (lack of MFA).',
'Over-permissive email/mailbox '
'access controls.',
'Failure to detect '
'living-off-the-land techniques '
'(legitimate tool abuse).',
'Gaps in monitoring cloud API '
'usage for anomalous activity.']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Enforce multifactor authentication (MFA) for all '
'accounts.',
'Implement risk-based sign-in policies and consolidated '
'identity management.',
'Apply least-privilege access principles, especially for '
'email/mailbox permissions.',
'Enable regular logging of email and cloud service '
'activities.',
'Monitor for unusual API calls or bulk data exfiltration '
'attempts.',
'Segment networks to limit lateral movement by attackers.',
'Educate employees on spear-phishing and credential theft '
'risks.',
'Collaborate with threat intelligence providers (e.g., '
'Microsoft, government agencies) for early warnings.'],
'references': [{'date_accessed': '2023-10-24',
'source': 'Microsoft Threat Intelligence Blog',
'url': 'https://www.microsoft.com/en-us/security/blog/'},
{'date_accessed': '2023-10-24',
'source': 'Dutch Intelligence Services (AIVD/MIVD) Statement'},
{'date_accessed': '2023-10-24',
'source': 'Cybersecurity Dive (John Hultquist interview)',
'url': 'https://www.cybersecuritydive.com/'}],
'regulatory_compliance': {'regulatory_notifications': ['Dutch government '
'disclosures '
'(AIVD/MIVD)']},
'response': {'communication_strategy': ['public disclosures by Microsoft and '
'Dutch government'],
'enhanced_monitoring': ['recommended by Microsoft for detecting '
'similar threats'],
'law_enforcement_notified': ['Dutch government agencies'],
'remediation_measures': ['implementation of multifactor '
'authentication (MFA)',
'risk-based sign-in policies',
'consolidated identity management '
'systems',
'least-privilege account access '
'principles',
'regular email activity logging'],
'third_party_assistance': ['Microsoft (threat intelligence)',
'Dutch intelligence services '
'(AIVD/MIVD)']},
'stakeholder_advisories': ['Microsoft security advisory for targeted sectors.',
'Dutch government warnings to defense contractors '
'and critical infrastructure.'],
'threat_actor': ['Void Blizzard (Microsoft)',
'Laundry Bear (Dutch intelligence: AIVD/MIVD)'],
'title': 'Russian Government-Backed Hackers (Void Blizzard/Laundry Bear) '
'Target Critical Infrastructure for Cyberespionage',
'type': ['cyberespionage',
'data exfiltration',
'supply chain intelligence gathering'],
'vulnerability_exploited': ['lack of multifactor authentication (MFA)',
'excessive email/mailbox permissions (shared read '
'access)',
'weak identity management systems',
'inadequate least-privilege access controls']}