Dutch Authorities Identify New Russian Cyber Actor "Laundry Bear" That's Been Targeting NATO

Netherlands' intelligence agencies have disclosed the existence of a new Russian threat actor, which they named Laundry Bear, that has quietly breached Western government organizations using deceptively simple techniques.

The Netherlands General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) have revealed, in a jointly published the operations of a previously unknown Russian state-supported cyber actor.

The authorities have dubbed the group Laundry Bear. It's been conducting espionage campaigns since 2024 against NATO and EU government institutions, defense contractors, and many other organizations.

"Laundry Bear flies under the radar using living-off-the-land methods that evade detection," the report states. "Its attacks have a high success rate compared to other Russian threat actors."

Dutch police's breach sparked the discovery

Laundry Bear first came to the attention of authorities after a cyberattack on the Dutch police in September 2024. They used a method known as a pass-the-cookie attack, which gave access to employee accounts and exfiltrated the Global Address List (GAL), which is a directory containing the contact information of all Dutch police staff.

Investigators say that the access cookie was stolen with the help of an infostealer malware and later purchased by Laundry Bear on the dark net.

Espionage, not destruction

Unlike ransomware gangs, Laundry Bear's motives seem to be purely espionage-driven. The group goes after email accounts, cloud storage, and access privileges to extract sensitive data. Some of the targeted areas include:

• Defense ministries and arms contractors
• Aerospace and military tech companies
• Foreign affairs offices and EU bodies
• IT providers with access to government systems
• NGOs, media, and various academic institutions

"The actor has a surprising level of understanding of Western military production and procurement," analysts wrote. "It seeks technologies Russia struggles to acquire due to sanctions."

How Laundry Bear conducts espionage

Laundry Bear uses a mix of stealthy tactics to infiltrate systems and extract valuable information:

• Credential theft: Access to victims' computers is sometimes gained by purchasing stolen session cookies or login credentials from the dark net.
• Password spraying: Instead of brute-forcing one account, Laundry Bear attempts common passwords, such as Welcome123 or Qwerty! across many accounts at slow intervals to avoid detection.
• Email scraping via Exchange Web Services (EWS): Once the group gets inside devices, the threat actor uses Microsoft Exchange APIs and Outlook Web Access (OWA) to automatically download emails and address books.
• Delegated account targeting: The group pays special attention to accounts with elevated access or delegated privileges.
• SharePoint exploitation: In some situations, the group has exploited known vulnerabilities in SharePoint environments to collect login credentials.
• Living-off-the-land (LOTL) techniques: Instead of using custom malware, the attackers rely on built-in Windows tools and legitimate user processes.

Tactics mimic APT28, but it's a distinct group

Laundry Bear's methods, like password spraying, web session cookie theft, and remote email scraping, overlap with those used by APT28, another Russian GRU-affiliated group also known as Fancy Bear. However, Dutch services believe that Laundry Bear is a separate entity.