Friday, January 17, 2025
Latest:
The Register

Russia’s Star Blizzard phishing crew caught targeting WhatsApp accounts

TH Author

Star Blizzard, a prolific phishing crew backed by the Russian Federal Security Service (FSB), conducted a new campaign aiming to compromise WhatsApp accounts and gain access to their messages and data, according to Microsoft.

The group’s credential phishing expeditions typically go after government, diplomatic, and defense policy targets — specifically with an eye on officials and researchers whose work involves Russian policy and assistance to Ukraine. This one, we’re told, was unique in that it attempted to compromise WhatsApp accounts via emails inviting victims to join a fake WhatsApp group.

“This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector,” Redmond disclosed in new threat intelligence on Thursday.

Star Blizzard is also tracked as Callisto Group and Coldriver. This particular campaign, similar to earlier efforts, begins with an email impersonating a US government official. What’s new is that it includes a QR code inviting recipients to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” 

According to Microsoft, the QR code provided is deliberately invalid in the hopes that the recipients will respond directly to the email, at which point Star Blizzard has the victim on its hook.

When the target responds, the FSB hackers send out a second email with a Safe Link wrapped t[.]ly shortened link that purports to be an alternative link to join the group. This new link, when clicked, redirects victims to a website that asks them to scan a QR code to join the WhatsApp group.

“However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal,” Redmond warned. “This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.”

The Microsoft Threat Intelligence team observed the activity in mid-November and noted that the campaign seemed to wind down by the end of the month. This illustrates Star Blizzard’s “tenacity” in its phishing espionage efforts to steal sensitive information from high-value targets, Redmond said.

The shift to WhatsApp accounts is likely due to efforts by Microsoft and other organizations, including national cybersecurity agencies, to expose the FSB’s typical tactics, techniques, and procedures (TTPs), prompting Star Blizzard to adapt by shifting to a new method of accessing targets.

In October, the US Justice Department and Microsoft disclosed that they had obtained court orders to seize websites used by Star Blizzard in phishing campaigns targeting US government agencies, think tanks, and other victims.

Since October 3, the DOJ and Redmond have seized or taken down more than 180 websites related to that activity, we’re told. 

“While this coordinated action had a short-term impact on Star Blizzard’s phishing operations, we noted at the time that after this threat actor’s active infrastructure was exposed, it swiftly transitioned to new domains to continue its operations, indicating that the threat actor is highly resilient to operational disruptions,” Microsoft said today. ®

READ MORE HERE