A new Russian APT is tearing through defence and government entities in NATO member states using stripped back and heavily automated threat techniques that nonetheless went widely undetected until they were spotted by the Dutch police, the Netherlands’s security services revealed.

The Dutch General Intelligence and Security Service (AIVD) and Defence Intelligence and Security Service (MIVD) call the group “LAUNDRY BEAR” and warned starkly on May 27 that it has “successfully gained access to sensitive information from a large number of government organisations.”

It has a “specific interest in armed forces, governments, defense suppliers…  and IT and digital service providers” the agencies said. 

The group has been seen:

  • Abusing web application or service session cookies
  • Conducting password spraying attacks
  • Phishing users with malicious QR codes
  • Pulling the contents from emails with Microsoft Graph API

Malware or 0days? Who needs ‘em?

Notably, it is not using any sophisticated exotic malware or even zero days to hit its targets. Instead, it appears to be successfully deploying credentials stolen in earlier infostealer activity (potentially from BYOD users), conducting phishing campaigns and password spraying attacks, then successfully exploiting living-off-the-land (LOTL) techniques. 

Microsoft, which is now tracking the group as “Void Blizzard” said that in April it also spotted the threat actor conducting spearphishing using a typosquatted domain to spoof the Microsoft Entra authentication portal. 

(After sending out a PDF purporting to be an invitation to an event, replete with a malicious QR code that sent users to a fake Entra page. Who needs exploits when you have… such low institutional awareness of cyber-risk?)

Microsoft Graph abuse, again… 

Once it has a foothold in a target organisation the group “abuses legitimate cloud APIs, such as Exchange Online and Microsoft Graph, to enumerate users’ mailboxes, including any shared mailboxes, and cloud-hosted files” Microsoft admitted in its own May 27 report

This is the second time within 10 weeks that Microsoft has said an APT is  abusing Microsoft Graph to “enumerate” or plunder mailboxes, after a Chinese threat group tracked as Silk Typhoon used the same technique. (Graph is a toolkit with permissive defaults that is actively designed to pull data en masse from Microsoft 365 applications, like enterprise emails.)

In March 2025 Microsoft said that Silk Typhoon had been seen:

“... abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph... Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application. Using this access, the actors can steal email information via the MSGraph API” 

Microsoft urged organisations this week to “conduct an audit search in the Microsoft Graph API for anomalous activity.” (Whilst Microsoft appears to have tightened up some MS Graph permission defaults, as of early 2024, as Bloodhound founder Andy Robbins noted at the time, defaults were liberal, sometimes confusing and offered real opportunities for attackers, e.g. The “AppRoleAssignment.ReadWrite.All MS Graph application role *BYPASSES* [the] consent process” (on the Microsoft 365 user’s side).

“Because LAUNDRY BEAR conducts its cyber operations at a rapid pace, the Dutch services consider it highly probable that the threat actor conducts these operations with some level of automation… automation appears to be efficiently organised, with the chosen attack methods resulting in a high number of successful compromises” AIVD & MIVD

Security veteran Florian Roth commented that on reading Microsoft’s report, “everything is about credential theft, phishing, and tokens.

"Initial access comes from buying or stealing creds – often through low-effort phishing. All the real action happens in the cloud, not on endpoints… it’s just: ‘steal creds, log in to cloud, exfiltrate data, repeat.’ Detection? Only possible if you have access to expensive cloud logs. No logs, no chance. 

He added: "The perimeter has shifted from endpoints to identity. The detection surface shrank from your whole network down to some logs you might get from your cloud provider if you pay extra. Honestly, not sure if that’s “progress” or just shifting the visibility problem somewhere else.”

Both Microsoft and the Dutch have mitigations in their reports.

Some key cookie abuse mitigations

Device management Do not allow users to bring their own device (BYOD), such as a personal laptop or smartphone, or restrict their use to a bare minimum. Enforce centralised device management for all devices that have access to the organisation's IT systems. This reduces the chance of malware-infected devices being allowed onto the network. It also allows the organisation to better monitor device behaviour. The risk from session cookie theft is greater in an organisation that does not enforce centralised device management.

System management Only use managed systems to access sensitive environments such as SharePoint and Exchange Online. Permit access to critical accounts only from trusted IP addresses.

Cookie expiration Set cookies to expire as quickly as practically possible to reduce the window of opportunity within which a threat actor can gain access. This immediately serves to reduce the usability of a stolen cookie with an access token. Choosing the right expiration time for session cookies is a trade-off between user convenience and security.

Browser cookies Enforce routine deletion of browser cookies and monitor at set intervals as a matter of security policy.

Session rebinding Disable session rebinding so that a session cookie may only be used by a single IP address. This makes it extremely difficult to use stolen session cookies.

Conditional access Consider implementing conditional access to restrict user logins to specific IP address locations, IP address ranges or specific devices.

Multifactor authentication Implement phishing-resistant MFA based on FIDO2 hardware tokens.

ID protection Consider using Microsoft Entra ID Protection or comparable solutions from Amazon Web Services (AWS) or Google. These can help detect pass-the-cookie type attacks.

The link has been copied!