- Bye bye, Wi-Fi: this low-cost adapter lets you set up a wired network without running ethernet
- No, AI won't revolutionize shopping - but this will
- How to watch Super Bowl 2025: Every streaming option
- This stylish power station kept my home running during an outage and it's on sale
- I changed these 6 Samsung TV settings to give the image quality an instant boost
Star Blizzard Targets WhatsApp in New Campaign
Russian nation-state group Star Blizzard has been targeting WhatsApp accounts, with the group shifting its focus following a law enforcement takedown of its infrastructure.
Microsoft Threat Intelligence observed Star Blizzard undertake a social engineering campaign in mid-November 2024.
This new campaign aimed to compromise the WhatsApp accounts of individuals working in government and other policy-related positions, particularly those related to international relations and Russia.
This is the first time a shift has been identified in the cyber espionage group’s longstanding tactics, techniques and procedures (TTPs).
Microsoft said the shift to targeting WhatsApp was likely in response to the takedown of over 100 websites used by Star Blizzard by Microsoft in coordination with the US government in October 2024. The group’s TTPs have also been subject to significant exposure by security researchers.
“While this campaign was limited and appears to have terminated at the end of November, it nevertheless marks a break in long-standing Star Blizzard TTPs and highlights the threat actor’s tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of its operations,” Microsoft noted.
Star Blizzard, AKA Coldriver, is linked to Russia’s intelligence service, the FSB. It has previously been known to focus on credential phishing campaigns targeting high-profile NGOs, former intelligence and military officers and NATO governments for espionage purposes.
In December 2023, the UK’s National Cyber Security Centre (NCSC) said the group was behind a sustained cyber campaign aimed at interfering in UK politics and democratic processes.
Phishing Campaign Targets WhatsApp Data
The WhatsApp campaign began in a similar way to traditional Star Blizzard attacks, with the threat actor initiating email contact with their targets through spear phishing.
The sender address used by Star Blizzard impersonated a US government official, continuing the group’s practice of impersonating known political/diplomatic figures.
The initial email sent in this campaign contained a QR code, purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.”
The code was intentionally broken in an effort to coax the target in sending an email reply.
When the recipient responded, Star Blizzard sent a second email containing a Safe Link wrapped t[.]ly shortened link as the alternative link to join the WhatsApp group.
If the target clicked on this link, they would be redirected to a webpage asking them to scan a QR code to join the group. However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal.
If the target followed through with these instructions, Star Blizzard could access the messages in their WhatsApp account and exfiltrate this data using existing browser plugins. These plugins are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.
Microsoft said the new campaign demonstrates that Star Blizzard is highly resilient and adaptable, swiftly transitioning to new domains to continue its operations. It expects the group to continue adapting its TTPs to evade detection.
The tech giant urged all email users belonging to sectors that Star Blizzard typically targets to remain vigilant, especially messages containing links to external resources.
