Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Void Blizzard (also known as Laundry Bear) is a recently identified Russia-affiliated cyberespionage group that emerged in mid-2024. Security researchers assess with high confidence that it operates on behalf of the Russian state, leveraging credential-based intrusions to quietly infiltrate organizations and exfiltrate sensitive data.

Want to check if your credentials are exposed? Use our FREE scanner:

While Void Blizzard operates with the backing of a nation-state, their methods rely on weaknesses that affect organizations of every size, including private enterprises far outside the realm of geopolitics. Stolen credentials, weak passwords, and exposed session tokens remain one of the most common entry points for advanced threat actors. 

In this article, we’ll break down exactly how Void Blizzard operates, why credential-based attacks remain so effective, and how proactive monitoring can give defenders a critical advantage.

Activities and Objectives

Void Blizzard’s primary mission is cyber-espionage, not financially motivated attacks. The group uses stolen credentials to infiltrate networks and steal data. The actors often buy or acquire valid login details (usernames, passwords, session cookies) from underground marketplaces and infostealer malware dumps. 

Once inside, they focus on harvesting large volumes of emails and sensitive files from cloud services like Exchange Online and SharePoint. 

The group has hit a broad range of sectors important to Russian interests. Known victims include government and defense agencies, telecommunications, healthcare, education, media, NGOs, and transportation organizations. Targets span both public and private sectors in Europe and North America. 

Tactics, Techniques, and Procedures (TTPs)

Void Blizzard relies on relatively unsophisticated but effective tactics to gain and exploit access. For more context, please see Microsoft’s research report detailing the group’s methods and recent activity.

Its methods can be mapped to MITRE ATT&CK techniques as follows:

• Initial Access – Stolen Credentials & Password Attacks: Void Blizzard frequently obtains user credentials from third-party breaches or malware. It performs high-volume password spraying (trying common passwords across many accounts). It also purchases dumped password lists and session cookies from infostealer malware (T1550.003 “Use Alternate Authentication Material”). In one intrusion, it hijacked a Dutch police account using a stolen session cookie – a classic “pass-the-cookie” attack. 

These tactics fall under Valid Accounts (T1078) in MITRE, as the attackers simply log in with legitimate credentials. Microsoft notes that Void Blizzard “procures cookies and other credentials through criminal ecosystems” and then uses these to access Exchange and SharePoint Online.

• Spear Phishing (AitM Phishing): Starting in April 2025, Void Blizzard escalated to targeted spear-phishing using an adversary-in-the-middle (AitM) technique. In a major campaign against NGOs, the hackers posed as European summit organizers and sent emails with PDF “invitations” containing a malicious QR code. 

Malicious QR code used by Void Blizzard (Source: Microsoft)

The QR code led victims to a typosquatted domain (micsrosoftonline[.]com) hosting a fake Microsoft Entra (Azure AD) login page. The phishing page was built on the Evilginx framework, enabling capture of both passwords and session cookies. This aligns with MITRE Spearphishing Link (T1566.002) and Input Capture (T1056) techniques. The campaign compromised over 20 NGOs in Europe and the U.S., showing Void Blizzard’s shift to more direct social-engineering methods.

• Living-off-the-Land (LOTL): Void Blizzard does not rely on custom malware. Instead, the group mainly uses built-in tools and legitimate services to blend in. After gaining access, they abuse Exchange Web Services (EWS) and Outlook Web Access (OWA) to explore victim networks. 

Analysts note they “likely automate the bulk collection of cloud-hosted data” using Microsoft Graph and Exchange APIs. In practice, once authenticated, the actors will download any mailboxes, file shares, or Teams messages the compromised user can see.

• Discovery and Lateral Movement: To expand access internally, Void Blizzard uses techniques like GAL scraping. Microsoft and Dutch reports describe how the hackers download the Global Address List (GAL) from Exchange and then use it to identify high-value accounts for further password spraying. 

They are especially interested in delegated access accounts (mailboxes that can manage other accounts). The attackers also use the open-source tool AzureHound to enumerate an organization’s Azure AD/Entra ID configuration (users, roles, groups, etc.). These reconnaissance steps correspond to MITRE’s Directory Services Discovery (T1087.004) and Cloud Discovery techniques.

• Collection and Exfiltration: Once inside, Void Blizzard collects data stealthily. They primarily exfiltrate emails and files from cloud storage, using automated scripts or API calls. This bulk harvesting is akin to MITRE’s Data from Cloud (T1530) and Archive Collected Data (T1560.001). In some cases, the group accessed Microsoft Teams chats via the web client to gather more information. Because they stick to legitimate services, exfiltration may blend with normal traffic, making detection harder.

MITRE ATT&CK Mapping

MITRE Tactic	Technique ID	Technique Name	Description
Initial Access	T1078	Valid Accounts	Uses stolen credentials (usernames, passwords, session cookies) from infostealer malware or criminal markets to log in directly to cloud services.
	T1550.003	Use Alternate Authentication Material	Hijacks active sessions using stolen cookies (“pass-the-cookie” attacks), bypassing MFA and gaining access without credentials.
	T1110.004	Password Spraying	Attempts common passwords across large sets of accounts to compromise weakly protected users.
Phishing	T1566.002	Spearphishing via Link	Sends spear-phishing emails with malicious QR codes linking to fake login portals that harvest credentials.
Credential Access	T1555	Credentials from Password Stores	Acquires credentials from infostealer malware logs traded on underground marketplaces.
Discovery	T1087.004	Cloud Account Discovery	Uses tools like AzureHound to map Azure AD/Entra ID users, groups, roles, and permissions.
	T1087.002	Email Address Discovery	Scrapes Exchange Global Address Lists (GAL) to identify additional targets inside the victim organization.
Collection	T1530	Data from Cloud Storage	Bulk downloads emails, Teams chats, and files from cloud services using Microsoft Graph and Exchange APIs.
	T1560.001	Archive Collected Data	Compresses and archives collected data for easier exfiltration.
Defense Evasion	T1218	Signed Binary Proxy Execution	Uses legitimate administrative binaries and tools (PowerShell, Exchange Web Services, Graph API) to avoid detection — a classic “living-off-the-land” approach.

In summary, Void Blizzard’s toolkit is rudimentary but effective. They focus on credential theft (T1555), password spraying (T1110.004), session hijacking (T1550.003) and phishing (T1566). 

They have no known bespoke malware, relying instead on living-off-the-land techniques (e.g., PowerShell, Azure AD enumeration) and legitimate cloud APIs to cover their tracks. Their success underscores that even basic TTPs, executed at scale by a determined team, can yield significant intelligence.

Infiltration Strategies

Void Blizzard breaches networks using social engineering and credential-based attacks. The group often buys leaked or phished login credentials to stuff or re-use passwords (credential stuffing). With a valid password in hand, they can directly log into corporate email and collaboration portals. 

Alternatively, they have employed targeted spear-phishing: sending deceptive emails that trick users into submitting their login details. In the NGO campaign, for example, the fake PDF invitations and Evilginx pages represent advanced social engineering.

Unlike other popular groups, Void Blizzard has not shown evidence of supply-chain or zero-day exploits in public reports. Instead, it exploits human weaknesses and poor password hygiene. They prey on any account that uses common or recycled passwords. If an organization’s credentials are leaked or reused across sites, Void Blizzard is likely to find and exploit them. 

Major Incidents and Case Studies

Several attributed campaigns illustrate Void Blizzard’s approach:

Incident / Campaign	Date	Targets	Tactics Used	Outcome
Dutch National Police breach	Sep 2024	Dutch police (employee)	Compromised account via stolen session cookie (pass-the-cookie)	Work-related staff contact info was exfiltrated; investigation found no other data stolen. Authorities alerted affected staff.
NGO spear-phishing attack	Apr 2025	20+ NGOs (EU, US)	AitM spear-phishing with Evilginx; malicious PDF QR code	Potential harvesting of user credentials; dozens of organizations targeted. Highlighted risk of credential theft via phishing.
Ukrainian aviation accounts	Oct 2024	Ukrainian aerospace firm	Account takeover (details unrevealed)	Multiple user mailboxes accessed, consistent with Russia’s long-standing interest in aviation intelligence.

These cases show Void Blizzard’s pattern: 

They gain initial access via stolen credentials or phishing, then quietly siphon emails and files. For instance, the Dutch police intrusion used an infostealer-reported cookie, allowing the attacker to bypass the password entirely. 

The NGO campaign, in contrast, used a convincing social-engineering lure (a European summit “invitation”) to trick victims into a fake login page. In all known incidents, the attackers took advantage of weak or stolen credentials without deploying disruptive ransomware or wipers.

The Threat of Stolen Credentials

Void Blizzard’s success highlights a broader lesson: stolen or reused credentials remain a critical attack vector. Twilight Cyber’s research indicates that over 100,000 new credentials are compromised each month. 

One 2025 industry intelligence report found over 3.2 billion credentials were stolen in 2024, largely through information-stealing malware and data breaches. These flooded credentials fuel many attacks, from APT espionage to ransomware. 

For groups like Void Blizzard, a single compromised password can open the door to an organization’s entire email and file system. Security expert analyses repeatedly note that these attackers rely on credentials and session tokens obtained from third parties. Detecting such credential exposure early, before attackers use them, is key to prevention.

Close Your Credential Gap With Twilight Cyber

With threat actors like Void Blizzard and many others roaming around, continuous credential monitoring must become a core component of any modern cybersecurity program.

Twilight Cyber provides real-time scanning of the dark web, paste sites, and cybercriminal forums to detect when an organization’s usernames or passwords have leaked. When suspicious credentials are discovered, security teams receive immediate alerts, enabling rapid remediation (e.g. forcing password resets or tightening MFA). 

Unlike other credential exposure solutions that take weeks, Twilight notifies you in hours, giving you plenty of time to respond before attackers can exploit the exposed credentials and gain access to your environment.

Ready to start actively protecting your credentials? Contact us now to get started.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox