A notorious Russian hacking crew has evolved its tactics to make an already dangerous espionage campaign even more effective.Dubbed “Void Blizzard,” the group has an extensive history of running espionage and infiltration attacks against foreign governments and non-government organization (NGO) groups at the direction of Russian intelligence.Some of the group’s favorite targets include military, defense, critical infrastructure and transportation networks, as well as healthcare and media organizations.“While Void Blizzard has a global reach, their cyberespionage activity disproportionately targets NATO member states and Ukraine, indicating that the actor is likely collecting intelligence to help support Russian strategic objectives,” the Microsoft Threat Intelligence group said in a report on the campaign.“In particular, the threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general.”Microsoft explained that Void Blizzard has relied on a relatively low-tech means of obtaining the credentials for the initial phase of its attacks. The group purchases stolen credentials from other threat actors and then floods targets in hopes of compromising an entity.The group is now stepping up its efforts by taking things in-house. Microsoft said the Void Blizzard team has progressed to running its own phishing operations, specifically targeting accounts within and around the organization.“In April 2025, Microsoft Threat Intelligence Center observed Void Blizzard evolving their initial access techniques to include targeted spear phishing for credential theft,” the Microsoft researchers explained.“While Void Blizzard’s tactics, techniques, and procedures (TTPs) are not unique among advanced persistent threat actors or even Russian nation state-sponsored groups, the widespread success of their operations underscores the enduring threat from even unsophisticated TTPs when leveraged by determined actors seeking to collect sensitive information.”Experts said that even if attacks such as purchasing stolen credentials and phishing seem low-tech, they remain effective for attackers.Yoni Shohet, CEO of SaaS security specialist Valence Security, said the attackers in many cases will go upstream to target an organization, finding a weak point in a contractor or partner organization to then working their way up.“It is very similar to supply chains, they are trying to get to an end goal but you don’t have to be the target to be the victim,” Shohet told SC Media.“They are just shooting in the dark to see what will catch and they eventually try to reach their end goal.”Shohet noted that identity management will play a key role in helping organizations protect themselves from such attacks. He cautions, however, that simply doing the minimum may not be enough to protect from attacks as threat actors will prey on other weak points such as token theft.“Organizations feel if they up multi-factor authentication, then they are golden, which is not wrong but it is not a binary configuration. There are a lot of controls that you need to have around it.“It is not the silver bullet that a lot of people have been looking for.”
