The FBI affidavit unsealed Tuesday names Denis Nikolayevich Obrezko, a Russian national, as one node in Void Blizzard’s attack infrastructure. I read it this week: the charge is conspiracy to commit unauthorized computer access.
The complaint describes a deliberately low-tech operation. Obrezko purchased a virtual private server and domain names used by the group to compromise at least 11 U.S. companies, per the FBI affidavit. Investigators believe that figure is a fraction of the actual nationwide victim count. Void Blizzard, named in May 2025 as a state-sponsored Russian actor by Microsoft, targets government, defense, transportation, and critical infrastructure across NATO member states through bulk email and file harvesting from cloud environments. The group also accessed Microsoft Teams conversations and cataloged Entra ID configurations to map organizational structures.
The Dutch services got there first. A joint AIVD/MIVD advisory published May 27, 2025 confirmed the group infiltrated the Netherlands’ national police in September 2024, stealing work-related contact information on police staff. By April 2025, Void Blizzard had shifted toward spear-phishing, targeting more than 20 NGOs in Europe and the U.S. via typosquatted Microsoft authentication domains: miscrsosoft[.]com and micsrosoftonline[.]com among them.
The affidavit doesn’t document technical sophistication, because there isn’t much. The group buys stolen session tokens to bypass multi-factor authentication, then routes traffic through commercial proxies matched to a target’s geographic region to evade firewall restrictions. No custom tooling required. That combination at scale is what pushed this into the DOJ National Security Division’s hands: Washington is treating this as state-directed collection, not opportunistic fraud.
Obrezko appeared in Boston federal court Tuesday and was taken into custody. The case is at the complaint stage. Worth auditing your Entra ID sign-in logs before the next hearing date.
Rebecca Lauren