Russian Threat Actor Star Blizzard Exploits WhatsApp in Spear-Phishing Campaign

The Russian cyber threat group known as Star Blizzard has launched a sophisticated spear-phishing campaign targeting WhatsApp accounts, signaling a shift in their tactics to evade detection and exploit vulnerabilities. This new campaign marks a significant change in their approach, diverging from traditional credential-harvesting methods.

Star Blizzard: A Decade-Long Threat

Star Blizzard, formerly known as SEABORGIUM, is a Russia-linked cyber threat group active since at least 2012. The group has operated under numerous aliases, including Blue Callisto, COLDRIVER, and Dancing Salome. Historically, their activities have focused on harvesting credentials from individuals involved in diplomacy, government, defense policy, and research on international relations, particularly concerning Russia and Ukraine.

Typical Methods of Attack

Previously, Star Blizzard relied on spear-phishing emails sent from Proton accounts. These emails often included malicious documents embedded with links redirecting victims to an adversary-in-the-middle (AiTM) platform, such as Evilginx, to steal credentials and bypass two-factor authentication (2FA).

The group has also used platforms like HubSpot and MailerLite to disguise email sender addresses, eliminating the need for their own domains and complicating attribution.

Recent Shifts in Strategy

Following public exposure and efforts by Microsoft and the U.S. Department of Justice to disrupt their operations, including the seizure of over 180 domains, Star Blizzard adjusted its tactics. The latest campaign exploits WhatsApp's QR code feature to compromise accounts and gain unauthorized access to sensitive information.

How the Campaign Works

The campaign starts with a deceptive spear-phishing email that appears to originate from a U.S. government official. This tactic adds a sense of legitimacy to the communication, increasing the chances of engagement.

1. Initial Email: The email includes a broken QR code, allegedly linking to a WhatsApp group focused on supporting Ukraine’s NGOs. Recipients are urged to respond to resolve the issue.
2. Follow-Up Message: Responding to the email triggers a second message containing a t[.]ly shortened link. This link redirects victims to a webpage asking them to scan a QR code.
3. WhatsApp Exploit: The QR code on the webpage is actually designed to link the victim’s WhatsApp account to the threat actor’s device via WhatsApp Web or another linked device. This grants the attackers unauthorized access to messages and the ability to exfiltrate data through browser extensions.

Targeted Sectors

Microsoft’s Threat Intelligence team identified that the campaign primarily targeted individuals in:

• Government and diplomacy sectors, including current and former officials.
• Defense policy and international relations researchers focusing on Russia.
• Organizations and individuals assisting Ukraine during the war with Russia.

Implications of the Campaign

This campaign highlights Star Blizzard's adaptability and persistence in pursuing sensitive information. By shifting to WhatsApp, the group has found a way to circumvent traditional email security measures, showcasing a strategic evolution in their tactics, techniques, and procedures (TTPs).

Recommendations for Protection

Individuals in sectors targeted by Star Blizzard are advised to exercise extreme caution:

• Be wary of emails from unknown sources, particularly those requesting interaction with QR codes or external links.
• Avoid scanning QR codes from unverified senders.
• Regularly review linked devices on WhatsApp to ensure unauthorized connections are removed.

Conclusion

The latest spear-phishing campaign by Star Blizzard underscores the evolving nature of cyber threats. By exploiting WhatsApp’s features, the group continues its efforts to access sensitive data, posing significant risks to government officials, researchers, and humanitarian organizations. Vigilance and robust cybersecurity practices remain essential to mitigate such threats.