Microsoft Threat Intelligence has identified a concerning strategic shift by the notorious Russian threat actor group “Star Blizzard.” Known for its spear-phishing campaigns targeting government, diplomatic, and civil society sectors, the group has now expanded its tactics to compromise WhatsApp accounts.
In mid-November 2024, Microsoft observed Star Blizzard employing a novel method in their phishing campaigns.
The group, which historically targeted email communications, began leveraging WhatsApp as an attack vector.
Using spear-phishing emails, they lured victims by falsely offering access to a WhatsApp group claiming to share updates on “non-governmental initiatives supporting Ukraine NGOs.”
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Exploiting Familiar Tactics to Target WhatsApp
The phishing campaign involved a two-step email scheme. The first email, which purported to be from a U.S. government official, contained a quick response (QR) code that claimed to direct recipients to a WhatsApp group offering updates on “non-governmental initiatives aimed at supporting Ukraine NGOs.”
However, the QR code was intentionally broken, designed to prompt recipients to reply to the email.Upon receiving a reply, Star Blizzard followed up with a second email containing a shortened malicious link wrapped in a seemingly secure “Safe Links” format.
Clicking on the link redirected victims to a phishing webpage that asked them to scan another QR code.
Instead of joining the intended group, this step enabled the attackers to link the victims’ WhatsApp accounts to the hackers’ devices via WhatsApp Web.
This gave Star Blizzard unauthorized access to victims’ messages, allowing them to exfiltrate sensitive data using browser plugins.
Malicious Phishing in Action
Microsoft shared screenshots detailing the attack. The phishing webpage appeared convincing, instructing victims to scan the redacted QR code to “link a device.”
However, this process allowed threat actors to exploit WhatsApp’s device-linking feature for their benefit. By abusing this legitimate capability, they gained access to private communications.
While this campaign was limited and reportedly concluded by the end of November 2024, analysts note it signals an evolution in Star Blizzard’s tactics and their persistence in targeting high-value individuals, even amid disruptions to their operations.
According to the Microsoft report, While the WhatsApp-focused campaign was reportedly limited and ceased by the end of November 2024, it demonstrates the group’s adaptability and commitment to exploiting emerging vulnerabilities.
Star Blizzard primarily targets individuals and organizations related to:
- Government and diplomacy (current and former officials)
- Defense policy and international relations, particularly regarding Russia
- Organizations providing assistance to Ukraine amid the ongoing conflict
The group also previously targeted journalists, think tanks, and NGOs, aiming to exfiltrate sensitive information and disrupt critical activities.
Microsoft underscores the importance of vigilance and proactive defense strategies to counter such sophisticated threats. Key recommendations include:
- Implementing Microsoft Defender for Endpoint to block phishing attempts, including QR code-based attacks.
- Enabling network protection and tamper-proof settings in security solutions.
- Using endpoint detection and response solutions in block mode for automatic threat mitigation.
- Adopting cloud-delivered protection and real-time antivirus updates to counter rapidly evolving tactics.
- Utilizing QR code training simulations to educate employees about phishing methods.
- Verifying email authenticity by independently contacting senders using known email addresses.
Microsoft also advises using tools like Safe Links and Safe Attachments in Office 365 and leveraging browser defenses such as Microsoft Edge’s SmartScreen to block malicious sites.
Star Blizzard’s recent campaign highlights the evolving landscape of cyberthreats, emphasizing the need for continuous monitoring and awareness. Microsoft has pledged to notify targeted customers directly and share detailed threat intelligence to strengthen defenses against sophisticated adversaries like Star Blizzard.
As cyberwarfare tactics evolve, organizations across the globe must remain vigilant, adopt robust cybersecurity measures, and foster collaboration to mitigate these persistent threats effectively.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
