New Russia Apartment Group, NATO-based organization after infiltration into Dutch police

Microsoft worked with the Dutch General Intelligence and Security Services (AIVD) and the Dutch National Defense Intelligence and Security Services (MIVD), which published a separate consultation from the group. The Dutch department investigated Void Blizzard after successfully compromised Dutch police in September 2024.

The group’s goal overlaps with other Russian state-run network growth groups, including APT28 aka the fancy bear, APT29 aka the cozy bear and Turla Aka the poisonous bear, which Microsoft calls Forest Blizzard, Midnight Blizzard and Secret Blizzard and Secret Blizzard, respectively. However, compared to these groups, the hollow blizzard appears to use less complex techniques to get initial access.

Password spraying and InfoStealer data dump

Until last month, Void Blizzard relied primarily on password spraying, a technology involving brute force password guessing attacks using common passwords in other data breaches or leaked password lists. The team has also been buying passwords and session cookies from the underground cybercrime market, especially from so-called logs obtained from InfoStealer malware, which is a recent threat.