The Russian hacker group Void Blizzard, closely linked to the GRU, has upgraded its cyber espionage tactics and intensified attacks on NATO member states’ and Ukraine’s networks, according to a new Microsoft Threat Intelligence report.
Microsoft states that the attackers “disproportionately target NATO states and Ukrainian partners,” collecting data to “support Russia’s strategic goals.” Their targets include military and defense structures, critical infrastructure, transport systems, medical institutions, and media outlets, reports Scworld.
Previously, Void Blizzard mainly relied on “low-tech” methods: buying stolen passwords from other criminals and then bulk-checking them across services to find valid ones. Now the group has moved to full-scale phishing campaigns. In April 2025, Microsoft analysts observed a shift to “targeted phishing” aimed at both external and internal accounts of organizations. Researchers note this evolution makes operations “broader and more dangerous.”
Microsoft experts emphasize that although the tactics, techniques, and procedures are not unique among advanced groups, Void Blizzard’s ongoing success shows how even relatively simple tools become highly effective when used persistently by operators seeking confidential information.
Yoni Shohet, CEO of Valence Security, explains that hackers often move “down the chain” from contractors and partners to their ultimate targets. He says:
“It’s like a supply chain: you might not be the primary target but can still become a victim. They shoot blindly until they hit the right target, then move further.”
He stresses that strong identity management is critical, but simply implementing multi-factor authentication “is not a panacea” as attackers increasingly steal access tokens and look for other vulnerabilities.
Microsoft warns that Void Blizzard’s ramp-up creates an “elevated risk” for critical sectors in NATO countries and Ukraine’s allies. Combined with a new wave of phishing attacks, this advances GRU cyber espionage to a higher level, requiring potential victims to reconsider their standard security measures.
