Russian state hacker Star Blizzard is conducting a new spear-phishing campaign. The goal is to compromise WhatsApp accounts of targets in government, diplomacy, defence policy, international relations and organizations that provide aid to Ukraine.
This writes BleepingComputer. According to a report by Microsoft Threat Intelligence, the campaign was observed in mid-November 2024. It marks a tactical shift for Star Blizzard, in response to the recent revelation of this threat actor’s tactics, techniques and procedures.
Malicious WhatsApp invitation
Star Blizzard launched the attack by impersonating a U.S. government official in emails to the target. The email contained an invitation to join a WhatsApp group related to non-governmental initiatives in support of Ukraine.
If the victim responds via the QR code, Star Blizzard sends a second email with a “t.ly” short link. This link leads to a fake Web page that resembles a legitimate WhatsApp invitation page and displays a new QR code.
The second QR code links a new device, the attacker’s, to the victim’s WhatsApp account. If the target follows the instructions on this page, the threat actor can access the messages in their WhatsApp account and export this data via existing browser plug-ins, explaining Microsoft.
Unexpected communication
Because the attack relies entirely on social engineering and does not use malware that antivirus programs can detect, users are advised to be wary of unexpected communications and extra cautious of invitations to join groups.
It is also wise to check the paired devices in a WhatsApp account. This can be done through the Paired Devices option in the app on a mobile device (iPhone or Android). The advice is to log out of devices that are not recognized.
Ongoing threat despite previous disruptions
This phishing campaign shows that the disruption of Star Blizzard’s operations in October 2024, when Microsoft and the U.S. Department of Justice seized or disabled more than 180 domains used by the Russian threat group, had no long-lasting impact. The hackers have continued their activities by exploring other attack vectors.