Article Details
Scrape Timestamp (UTC): 2025-01-19 15:28:22.505
Original Article Text
Click to Toggle View
Star Blizzard hackers abuse WhatsApp to target high-value diplomats. Russian nation-state actor Star Blizzard has been running a new spear-phishing campaign to compromise WhatsApp accounts of targets in government, diplomacy, defense policy, international relations, and Ukraine aid organizations. According to a Microsoft Threat Intelligence report, the campaign was observed in mid-November 2024 and represents a tactical shift for Star Blizzard as a response to the recent exposure of the threat actor's tactics, techniques, and procedures. Malicious WhatsApp invitation Star Blizzard starts the attack by impersonating a U.S. government official in email messages to the target. The lure is an invitation to join a WhatsApp group related to non-governmental initiatives supporting Ukraine. The email contains a purposefully broken QR code, in an attempt to force a reply from the recipient requesting an alternative link. If the victim responds, Star Blizzard sends another email with a ‘t.ly’ short link, which directs them to a fake webpage that mimics a legitimate WhatsApp invitation page with a new QR code. However, the new QR code is to link a new device, the attacker's, to the victim's WhatsApp account. “If the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web,” explains Microsoft. As the attack relies solely on social engineering and there’s no malware involved for antivirus tools to detect, users should be wary of unsolicited communications and exercise extra caution when receiving invitations to join groups. It is also a good idea to check the devices linked to your WhatsApp account. This is possible from the "Linked devices" options in the application on the mobile device (iPhone or Android) and log out any device you don't recognize. This phishing campaign shows that Star Blizzard's activity disruption in October 2024, when Microsoft and the U.S. Department of Justice seized or took down more than 180 domains used by the Russian threat group, did not have a long-term impact and the hackers continued their operations by exploring other attack vectors.
Daily Brief Summary
Russian nation-state hackers, identified as Star Blizzard, are impersonating U.S. officials in a spear-phishing campaign targeting diplomats.
The hackers use a fraudulent WhatsApp group invitation to breach the accounts of officials in government, defense, and aid organizations.
The phishing emails contain a defective QR code intended to provoke a response and subsequently, send a malicious link disguised as a legitimate WhatsApp invite.
Responding and scanning the QR code from the link allows hackers to link their device to the victim's WhatsApp, gaining access to messages and data.
Microsoft highlights the campaign's reliance on social engineering, which skirts typical antivirus detections.
This activity follows a disruption in October 2024, when Microsoft and the U.S. DOJ temporarily hampered Star Blizzard's operations.
Users are advised to verify suspicious communications and regularly check for unknown devices linked to their WhatsApp accounts.