Russia-based Void Blizzard attacked NATO and Ukraine, using credentials they took in earlier cyberattacks to steal data from the cloud.

Microsoft revealed that Void Blizzard, a Russian group, is leading worldwide cloud-based espionage and is considered a major cybersecurity threat. Since starting operations in April 2024, the group has gone after NATO members, Ukraine and important sectors for Russia, including those linked to defense, healthcare and transportation.

Its attackers use illegal usernames and passwords purchased on cybercrime sites to access companies and get sensitive information. Microsoft’s team explained that the group uses password spraying and phishing, forging Microsoft Entra sites by means of typosquatted domains.

Void Blizzard sends invitations containing malicious QR codes to try and gain login info by using AitM attacks. Importantly, members of the group have gained access to Exchange, SharePoint and Teams accounts and use automation to collect extensive data.

The Netherlands Defense Intelligence and Security Service found that in September 2024, a “pass-the-cookie” attack facilitated a cyberattack against the Dutch police by Void Blizzard. Russia’s continued efforts highlight rising cybersecurity dangers globally, especially because other Russian-supported actors are acting in tandem.

Microsoft believes these attacks form part of government-sponsored cyberattacks that mainly target gathering intelligence about Western actions to support Ukraine.