Void Blizzard Espionage Campaign Uncovered
Federal prosecutors have charged a Russian national, Denis Nikolayevich Obrezko, with conspiracy to commit unauthorized computer access in connection with the Void Blizzard cyber-espionage campaign. According to an FBI affidavit, Obrezko is accused of breaking into systems owned by companies in the United States and elsewhere.
Void Blizzard, also tracked as Laundry Bear, is a state-sponsored Russian threat group that has been conducting large-scale espionage operations against government agencies, defense suppliers, and critical infrastructure providers across NATO member states, Ukraine, and beyond. The group's methods, while not technically advanced, have proven broadly effective, with Microsoft researchers noting that their success illustrates the sustained risk posed by even basic intrusion techniques when applied at scale.
Method of Operation
The FBI affidavit describes a methodical but largely unsophisticated operation. Investigators say Void Blizzard primarily relied on stolen session tokens to authenticate to victim accounts without triggering re-authentication requirements, then used a U.S.-based commercial proxy service to mask the connection’s location. The group typically routed traffic through a VPN before selecting proxy IP addresses in the same region as a target, allowing it to bypass geographic firewall restrictions.
Targets and Intrusions
From June-July 2024, the FBI received tips from a foreign partner and a U.S.-based private-sector firm identifying several American companies being targeted by the emerging group. Investigators subsequently verified intrusions at 11 U.S. companies, a figure the affidavit describes as likely a fraction of the total victim count nationwide.
Void Blizzard’s methods have allowed them to harvest bulk email and files from compromised cloud environments, access Microsoft Teams conversations, and catalog Microsoft Entra ID configurations to map organizational structures. In April 2025, Microsoft identified a separate spear-phishing campaign attributed to Void Blizzard that targeted more than 20 non-governmental organizations in Europe and the United States, using typosquatted domains to spoof Microsoft authentication pages.
Arrest and Charges
Obrezko appeared in court and agreed to be taken into custody while awaiting trial. The charges come roughly a year after Microsoft publicly identified Void Blizzard as a state-sponsored Russian threat group. Dutch intelligence and security services separately confirmed in May 2025 that the group had infiltrated the Netherlands’ national police force in September 2024, stealing work-related contact information on police staff.
- Void Blizzard has been observed targeting companies and organizations in the US and elsewhere.
- The group's methods include using stolen session tokens and proxy services to authenticate to victim accounts.
- Void Blizzard has been linked to the Russian government and has been conducting large-scale espionage operations.
The arrest and charges against Obrezko mark a significant development in the ongoing efforts to combat cyber-espionage campaigns. As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect themselves against these types of threats.
Microsoft researchers noted in 2025 that the group’s success illustrates the sustained risk posed by even basic intrusion techniques when applied at scale.
The Void Blizzard espionage campaign serves as a reminder of the importance of cybersecurity and the need for organizations to prioritize the protection of their systems and data.
Source: CyberScoop