Pierluigi Paganini
May 27, 2025
Netherlands General Intelligence and Security Service (AIVD) and the Netherlands Defence Intelligence and Security Service (MIVD) have linked a previously undetected Russia-linked group, tracked Laundry Bear (aka Void Blizzard), to a 2024 police breach. In October 2024, the Dutch police blamed a state actor for the recent data breach that exposed officers’ contact details, the justice minister told lawmakers.
The incident took place on September 26, 2024, and the police reported the security breach to the Data Protection Authority. Threat actors broke into a police system and gained access to work-related contact details of multiple officers. The attackers had access to names, emails, phone numbers, and some private information belonging to police officers.
“Last week it became known that a police account was hacked. Work-related contact details of police officers were stolen.” reads the data breach notice published by Dutch police. “Apart from the names of colleagues, it does not concern private data or research data. Specialists within the police are investigating the impact of the incident.”
The Dutch police announced that they had identified the attackers, however, they haven’t publicly attributed it to a specific actor.
“The police have been informed by the intelligence services that it is very likely a ‘state actor’, in other words: another country or perpetrators on behalf of another country.” reads the update on the data breach published by Dutch Polite. “Based on the information from the intelligence services, the police immediately implemented strong security measures against this attack. In order not to make the perpetrators any wiser and not to harm further investigation, no more can be said at this time.”
A new joint advisory published by the Dutch intelligence agencies warns Dutch organizations of Laundry Bear attacks. The government experts state that Laundry Bear has evaded detection by using simple attack methods and built-in tools on victims’ systems, making it hard to trace and distinguish from other Russian hackers.
“The AIVD and MIVD (‘the Dutch services’) have identified a publicly unknown, highly probably Russian state-supported threat actor and have named the group LAUNDRY BEAR.” reads the joint advisory.
Since 2024, Laundry Bear has targeted Western governments, armed forces, defense contractors, cultural groups, and digital service providers in cyber operations.
Laundry Bear mainly targets EU and NATO countries, focusing on entities linked to Russia’s war in Ukraine, such as defense ministries, armed forces, diplomats, and defense contractors. In 2024, it also hit aerospace firms and high-tech manufacturers, likely to steal sensitive data about weapons production and deliveries to Ukraine.
The group has shown deep awareness of military supply chains and has also targeted tech companies producing goods Russia struggles to obtain under sanctions. Beyond military targets, Laundry Bear has gone after civilian, commercial, and IT service providers, especially those connected to government systems. It has also attacked NGOs, media, political parties, and education institutions. Compared to other Russian threat actors, Laundry Bear has had notable success in its operations.
In September 2024, Laundry Bear used a pass-the-cookie attack to access a Dutch police account, likely with a stolen browser cookie bought via a criminal marketplace. This allowed them to steal police contact info from the address list without needing login credentials. Authorities suspect other Dutch organizations were also targeted, though further data theft hasn’t been confirmed.
Microsoft tracked the group as Void Blizzard published a report on the APT that provides details about tools, tactics, and procedures used by the threat actor.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT)
