Threat IntelligenceEmerging Threats

Russian national charged in Void Blizzard cyber-espionage scheme

Analyst 207||Source: CyberScoop
Russian defendant sits in federal courtroom with officer nearby.
Investigators subsequently verified intrusions at 11 U.S. companies — a figure the FBI affidavit says is likely only a fraction of the total victims nationwide.

Denis Nikolayevich Obrezko: charges and the government case

Federal prosecutors this week charged Denis Nikolayevich Obrezko, a Russian citizen, with conspiracy to commit unauthorized computer access, according to a criminal complaint filed in federal court. An FBI affidavit unsealed Tuesday alleges Obrezko played a facilitation role in a wide-ranging cyber-espionage campaign by purchasing a virtual private server and registering domain names used in the intrusions. Obrezko appeared in court Tuesday and agreed to be taken into custody while awaiting trial.

Void Blizzard (also tracked as Laundry Bear): attribution and prior findings

The campaign at the center of the complaint has been linked to Void Blizzard, a Russia-aligned threat group Microsoft has publicly identified and also tracks under the name Laundry Bear. Microsoft described Void Blizzard as a state-sponsored actor conducting large-scale espionage against government agencies, defense suppliers, and critical infrastructure providers across NATO member states, Ukraine, and beyond. The charges against Obrezko were filed roughly a year after Microsoft’s public identification of the group.

Verified intrusions, targets, and international confirmations

Investigators told the FBI they received tips in June–July 2024 from a foreign partner and a U.S.-based private-sector firm pointing to several American companies being targeted. FBI investigators subsequently verified intrusions at 11 U.S. companies; the affidavit characterizes that number as likely a fraction of the total victim count in the United States. Separately, Dutch intelligence and security services confirmed in May 2025 that Void Blizzard had infiltrated the Netherlands’ national police force in September 2024, stealing work-related contact information on police staff. Microsoft researchers also identified an April 2025 spear-phishing campaign attributed to Void Blizzard that targeted more than 20 non-governmental organizations in Europe and the United States.

Tactics observed: stolen session tokens, VPNs, proxies, and typosquatting

The FBI affidavit describes a methodical but largely unsophisticated mode of operation. Investigators say the group chiefly relied on stolen session tokens to authenticate to victim accounts without triggering re-authentication checks, then masked the connections by routing traffic through a VPN and using a U.S.-based commercial proxy service. The actors typically selected proxy IP addresses in the same region as a target to bypass geographic firewall restrictions. Microsoft observed the group harvesting bulk email and files from compromised cloud environments, accessing Microsoft Teams conversations, and cataloging Microsoft Entra ID configurations to map organizational structures. The affidavit corroborates Microsoft’s reporting that attackers registered typosquatted domains such as miscrsosoft[.]com and micsrosoftonline[.]com through accounts tied to the same infrastructure used by the group.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The record here underscores that relatively simple techniques — stolen session tokens, VPN routing, and regional proxy selection — can yield extensive access when applied at scale. Microsoft researchers noted the group’s success illustrates the sustained risk posed by basic intrusion techniques.
  • Policymakers and regulators: The involvement of a state-aligned actor, cross-border victimology, and the confirmation by Dutch intelligence of a national police intrusion highlight international dimensions that may inform incident reporting and interagency coordination efforts.
  • Affected enterprises and procurement leaders: Verified intrusions at 11 U.S. companies, plus Microsoft’s finding of more than 20 NGOs targeted in April 2025, indicate organizations across corporate, nonprofit, and public sectors should assume persistent attempts to harvest cloud email, files, and collaboration-data remain active.

The criminal complaint and the unsealed affidavit frame this as an example of how access-enabling services and purchasable infrastructure — virtual private servers and domain registrations — can be woven into larger espionage campaigns. With an accused facilitator now in U.S. custody, prosecutors will move to test the allegations in court; investigators will continue to map the full scope of intrusions that the affidavit suggests extend beyond the 11 verified U.S. victims.

Read the original CyberScoop report: https://cyberscoop.com/russian-national-charged-void-blizzard-cyber-espionage/

Cyber EspionageEmerging ThreatsFbiNation-StateRussiaVoid BlizzardLaundry BearFederal InvestigationUnauthorized Computer Access
Related Intelligence

Continue Reading

Laptop screen displays data breach notice in government office setting.

Maine Breach Portal Exposed to Fake Data Breach Disclosures

A fake data breach notice was recently submitted to Maine's breach disclosure portal using VRChat's name, but the company quickly reassured fans that their data and systems are safe. The incident highlights a vulnerability in the portal's submission process, which allows anyone to post a breach notice without verification.

Analyst 207
University campus scene with administrative building, people walking, and laptop on a table.

ShinyHunters Exploits Oracle PeopleSoft Vulnerability in Education Sector Attacks

ShinyHunters hackers have exploited a critical Oracle PeopleSoft vulnerability, CVE-2026-35273, to launch targeted attacks on US organizations, particularly in the higher education sector. The attacks, which involved data theft and extortion, hit a whopping 68% of US higher education institutions.

Analyst 207
University server room with exposed networking equipment, hinting at a cyber breach.

ShinyHunters Breaches Universities via Oracle PeopleSoft Zero-Day Exploit

Hackers have struck 68% of breached organizations in the higher education sector, with a whopping majority being US universities, by exploiting a critical zero-day vulnerability in Oracle PeopleSoft. This severe flaw, rated 9.8/10, allows for remote code execution with no login or user interaction required.

Analyst 207
Rows of computer servers and database systems in a brightly-lit, empty office or server room.

Oracle Discloses Zero-Day Flaw in PeopleSoft Exploited in Data Theft Attacks

A critical zero-day flaw in Oracle PeopleSoft, known as CVE-2026-35273, has been exploited by hackers to steal sensitive data from over 100 organizations, with a staggering 300 instances affected. Oracle has issued emergency mitigations and is working on a patch to address this highly vulnerable issue.

Analyst 207