A newly identified Russian cyberespionage group, tracked as Void Blizzard, has been connected to a September 2024 security breach affecting Dutch police systems. The operation involved exploitation of unpatched Microsoft Exchange servers through CVE-2024-21410, with evidence suggesting coordination with GRU Unit 261651. This incident highlights the continued targeting of European law enforcement by state-sponsored actors.
Technical Analysis of the Attack
The Void Blizzard operation employed a multi-stage attack chain beginning with VPN credential theft. Attackers gained initial access through compromised Exchange servers vulnerable to CVE-2024-21410, a known privilege escalation flaw. Once inside the network, the group deployed custom tooling to maintain persistence and exfiltrate sensitive law enforcement data. Recent FBI alerts indicate the group has since incorporated AI-generated voice clones in phishing attempts against high-value targets2.
Network telemetry from the Dutch breach shows the attackers established command and control through a series of proxy servers, using techniques similar to those documented in GRU operations. The group maintained access for 17 days before detection, during which they accessed personnel records and ongoing investigation files. Forensic analysis revealed the use of modified versions of existing malware frameworks adapted for this specific operation.
Broader Context of Russian Cyber Operations
The Dutch police breach fits within a pattern of Russian APT activity targeting European infrastructure. Recent campaigns include GooseEgg malware attacks against rail systems and RDP proxy-based data theft operations3. Void Blizzard’s TTPs show overlap with known GRU units, particularly in their use of unpatched vulnerabilities for initial access and their focus on government targets.
Parallel operations by other Russian-linked groups include the RomCom Firefox/Tor zero-day exploit (CVE-2025-23006) against NATO diplomatic targets and the TAG-110 campaign distributing HatVibe and CherrySpy malware across 11 countries4. These operations demonstrate coordinated efforts across multiple threat actors with distinct but complementary objectives.
Detection and Mitigation Strategies
Organizations can implement several defensive measures against Void Blizzard’s known tactics:
- Immediate patching of Exchange servers, particularly for CVE-2024-21410
- Enhanced monitoring of VPN authentication attempts and unusual RDP connections
- Implementation of voice authentication verification for sensitive communications
- Network segmentation to limit lateral movement post-compromise
CISA has released updated detection rules for Void Blizzard’s infrastructure, available through their automated indicator sharing system. These include signatures for their custom malware variants and known C2 IP ranges5.
Future Implications
The Void Blizzard operation signals an escalation in Russian cyber operations against European law enforcement. The incorporation of AI-assisted social engineering suggests future attacks may become more sophisticated in their targeting methods. Organizations should prepare for increased blending of technical exploits with psychological manipulation techniques.
This incident also highlights the need for improved international coordination in tracking state-sponsored groups. The technical overlap between Void Blizzard and known GRU units provides opportunities for collective defense through shared intelligence and coordinated response measures.
References
- “Russian Void Blizzard cyberspies linked to Dutch police breach,” BleepingComputer, 2025.
- “Russian Cyber Spies Unleash HatVibe and CherrySpy Malware,” Varutra, 2025.
- “Russian Hackers Use RDP Proxies,” DarkReading, July 2025.
- “TAG-110 Cyberespionage Campaign,” Recorded Future, 2025.
- “CISA Advisory on Russian Cyber Threats,” CISA, June 2025.
