A previously unknown Russian hacker group that has been given the moniker “Laundry Bear” has spent roughly a year targeting government and commercial entities in the Netherlands and other NATO and EU countries, according to a joint report from the Dutch General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD).
The group, believed to be operating on behalf of the Kremlin, was first detected in September 2024 after stealing sensitive data on approximately 63,000 Dutch police officers. According to Politico, nearly the entire Dutch police force was affected by the breach.
The investigation into the incident revealed that Laundry Bear has been conducting cyber-espionage against a wide range of government bodies and companies in the EU since at least 2024. Their targets include NATO structures, EU government ministries, defense departments, political parties, media outlets, and high-tech firms.
A technical investigation into the victims indicated that Laundry Bear likely sought sensitive information on the procurement and production of military equipment by Western governments, as well as details on weapons deliveries to Ukraine. Dutch intelligence services observed that the group appears to possess a certain level of insight into the defense production and supply chains involved. Laundry Bear has also targeted companies developing advanced technologies that are difficult for Russia to acquire due to Western sanctions.
“Given the current information, it is not possible to say with certainty what the exact goals of these espionage attacks might be,” read the report.
Microsoft is conducting its own investigation into the group, which exploited the company’s Exchange servers. Microsoft has named the threat actor “Void Blizzard.”
The report notes that Void Blizzard has been active since at least April 2024, and its targets overlap with those of other Kremlin-linked groups, including Seashell Blizzard, Forest Blizzard, Midnight Blizzard, and Secret Blizzard.
One example cited in the report includes a PDF attachment from Laundry Bear disguised as an invitation to a European Defense and Security Summit and containing a QR code that led to a phishing website.
Laundry Bear employed a variety of hacking techniques, including cookie theft and replacement, password brute-forcing, and phishing (using fake emails or messages to steal login credentials). While these methods are relatively simple, identifying the group behind the attacks is challenging. However, AIVD notes that APT28 (also known as Fancy Bear) — a group linked to Russia’s GRU military intelligence agency — uses similar methods and typically targets the same types of institutions.
