Dutch Intelligence Exposes Russian “Laundry Bear” Cyber Group Behind Police Hack

Dutch intelligence services have identified a previously unknown Russian hacking group responsible for cyberattacks on multiple Dutch organizations, including a significant breach of the national police system in September 2024 that compromised work-related contact information of officers.

The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) announced Tuesday that they have designated the threat actor as “Laundry Bear,” which Microsoft separately tracks as “Void Blizzard“.

The investigation revealed that the group has been conducting cyber operations against Western governments and institutions since at least 2024, with particular focus on NATO member states and European Union countries.

During the September attack on Dutch police, hackers gained access to an employee account and stole work-related contact information through the Global Address List, including names, email addresses, phone numbers, and in some cases private details of multiple officers.

Laundry Bear Exposed

The attackers likely used a “pass-the-cookie” technique, exploiting stolen authentication tokens obtained through infostealer malware purchased on criminal marketplaces.

“We have seen that this hacker group successfully gains access to sensitive information from a large number of (government) organizations and companies worldwide,” said MIVD director Vice Admiral Peter Reesink.

“They have a specific interest in countries of the European Union and NATO. Laundry Bear is after information about the purchase and production of military equipment by Western governments and Western deliveries of weapons to Ukraine”.

The cyber espionage campaign extends far beyond the Netherlands, targeting armed forces, government bodies, defense contractors, social organizations, and IT service providers across multiple countries.

Laundry Bear has also conducted attacks against companies producing high-technology systems that Russia cannot easily access due to Western sanctions imposed following its invasion of Ukraine.

What makes Laundry Bear particularly concerning is their ability to remain undetected for extended periods. The group employs relatively simple but effective techniques that are difficult to distinguish from legitimate network activity.

Their operations demonstrate “some level of automation” that allows them to conduct many attacks in short timeframes while maintaining a high success rate.

Intelligence agencies noted similarities between Laundry Bear’s methods and those used by APT28 (also known as Fancy Bear), another Russian state-sponsored group linked to the GRU military intelligence agency. However, investigators concluded these are distinct threat actors operating independently.

In an unusual move, Dutch authorities decided to publicly expose Laundry Bear’s technical methods to strengthen collective cybersecurity defenses. “We consciously choose to expose their methods,” explained AIVD Director-General Erik Akerboom.

“This way, not only governments, but also manufacturers, suppliers and other targets can arm themselves against this form of espionage. This limits Laundry Bear’s chances of success and digital networks can be better protected”.

The revelation underscores the escalating cyber threat landscape facing the Netherlands and its allies. Both AIVD and MIVD report investigating increasing numbers of different hacker groups targeting Dutch interests, with attacks growing in both frequency and complexity.

The agencies warn that Laundry Bear is likely to expand its operations and develop more sophisticated attack vectors in the future. All identified affected Dutch organizations have been notified and provided assistance in implementing protective measures against future attacks.

Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here