Russia-linked APT Laundry Bear linked to 2024 Dutch Police attack

Article thumbnail image

This post was originally published on Security Affairs. It can be found here.

A new Russia-linked APT group, tracked as Laundry Bear, has been linked to a Dutch police security breach in September 2024.

Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) have linked a previously undetected Russia-linked group, tracked Laundry Bear (aka Void Blizzard), to a 2024 police breach. In October 2024, the Dutch police blamed a state actor for the recent data breach that exposed officers’ contact details, the justice minister told lawmakers.

The incident took place on September 26, 2024, and the police reported the security breach to the Data Protection Authority. Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.

“Last week it became known that a police account was hacked. Work-related contact details of police officers were stolen.” reads the data breach notice published by Dutch police. “Apart from the names of colleagues, it does not concern private data or research data. Specialists within the police are investigating the impact of the incident.”

The Dutch police announced that they had identified the attackers, however, they haven’t publicly attributed it to a specific actor.

“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country.” reads the update on the data breach published by Dutch Polite. “Based on the information from the intelligence services, the police immediately implemented strong security measures against this attack. In order not to make the perpetrators any wiser and not to harm further investigation, no more can be said at this time.” 

A new joint advisory published by the Dutch intelligence agencies warns Dutch organizations of Laundry Bear attacks. The government experts state that Laundry Bear has evaded detection by using simple attack methods and built-in tools on victims’ systems, making it hard to trace and distinguish from other Russian hackers.

“The AIVD and MIVD (‘the Dutch services’) have identified a publicly unknown, highly probably Russian state-supported threat actor and have named the group LAUNDRY BEAR.” reads the joint advisory. “This investigation into the threat actor was initiated because of an opportunistic cyber attack on the Dutch police in September 2024. During this attack the work-related contact information of police employees was obtained by the threat actor. The Dutch services and the police have not been able to ascertain that other information was obtained. It is highly probable that other Dutch organisations were also a victim of this threat actor.”

Since 2024, Laundry Bear has targeted Western governments, armed forces, defense contractors, cultural groups, and digital service providers in cyber operations.

Laundry Bear mainly targets EU and NATO countries, focusing on entities linked to Russia’s war in Ukraine, such as defense ministries, armed forces, diplomats, and defense contractors. In 2024, it also hit aerospace firms and high-tech manufacturers, likely to steal sensitive data about weapons production and deliveries to Ukraine.

The group has shown deep awareness of military supply chains and has also targeted tech companies producing goods Russia struggles to obtain under sanctions. Beyond military targets, Laundry Bear has gone after civilian, commercial, and IT service providers, especially those connected to government systems. It has also attacked NGOs, media, political parties, and education institutions. Compared to other Russian threat actors, Laundry Bear has had notable success in its operations.

In September 2024, Laundry Bear used a pass-the-cookie attack to access a Dutch police account, likely with a stolen browser cookie bought via a criminal marketplace. This allowed them to steal police contact info from the address list without needing login credentials. Authorities suspect other Dutch organizations were also targeted, though further data theft hasn’t been confirmed.

Microsoft tracked the group as Void Blizzard published a report on the APT that provides details about tools, tactics, and procedures used by the threat actor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 1 year ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 1 year ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 1 year ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 1 year ago

LATEST POSTS
Article thumbnail image
The Czech government condemned China after linking cyber espionage group APT31
PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal crede
Apple blocked over $9B in fraud in 5 years, including $2B in 2024, stopping sca
Researchers found a fake Bitdefender site spreading the Venom RAT by tricking u