Saturday, February 8, 2025
HomeCyber Security NewsRussian Threat Actor "Star Blizzard" Exploit WhatsApp Accounts Using QR Codes

Russian Threat Actor “Star Blizzard” Exploit WhatsApp Accounts Using QR Codes

Published on

SIEM as a Service

Follow Us on Google News

Microsoft Threat Intelligence has identified a concerning strategic shift by the notorious Russian threat actor group “Star Blizzard.” Known for its spear-phishing campaigns targeting government, diplomatic, and civil society sectors, the group has now expanded its tactics to compromise WhatsApp accounts.

In mid-November 2024, Microsoft observed Star Blizzard employing a novel method in their phishing campaigns.

The group, which historically targeted email communications, began leveraging WhatsApp as an attack vector.

Using spear-phishing emails, they lured victims by falsely offering access to a WhatsApp group claiming to share updates on “non-governmental initiatives supporting Ukraine NGOs.”

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Exploiting Familiar Tactics to Target WhatsApp

The phishing campaign involved a two-step email scheme. The first email, which purported to be from a U.S. government official, contained a quick response (QR) code that claimed to direct recipients to a WhatsApp group offering updates on “non-governmental initiatives aimed at supporting Ukraine NGOs.”

However, the QR code was intentionally broken, designed to prompt recipients to reply to the email.Upon receiving a reply, Star Blizzard followed up with a second email containing a shortened malicious link wrapped in a seemingly secure “Safe Links” format.

Clicking on the link redirected victims to a phishing webpage that asked them to scan another QR code.

Instead of joining the intended group, this step enabled the attackers to link the victims’ WhatsApp accounts to the hackers’ devices via WhatsApp Web.

This gave Star Blizzard unauthorized access to victims’ messages, allowing them to exfiltrate sensitive data using browser plugins.

Malicious Phishing in Action

Microsoft shared screenshots detailing the attack. The phishing webpage appeared convincing, instructing victims to scan the redacted QR code to “link a device.”

However, this process allowed threat actors to exploit WhatsApp’s device-linking feature for their benefit. By abusing this legitimate capability, they gained access to private communications.

While this campaign was limited and reportedly concluded by the end of November 2024, analysts note it signals an evolution in Star Blizzard’s tactics and their persistence in targeting high-value individuals, even amid disruptions to their operations.

According to the Microsoft report, While the WhatsApp-focused campaign was reportedly limited and ceased by the end of November 2024, it demonstrates the group’s adaptability and commitment to exploiting emerging vulnerabilities.

Star Blizzard primarily targets individuals and organizations related to:

  • Government and diplomacy (current and former officials)
  • Defense policy and international relations, particularly regarding Russia
  • Organizations providing assistance to Ukraine amid the ongoing conflict

The group also previously targeted journalists, think tanks, and NGOs, aiming to exfiltrate sensitive information and disrupt critical activities.

Microsoft underscores the importance of vigilance and proactive defense strategies to counter such sophisticated threats. Key recommendations include:

  1. Implementing Microsoft Defender for Endpoint to block phishing attempts, including QR code-based attacks.
  2. Enabling network protection and tamper-proof settings in security solutions.
  3. Using endpoint detection and response solutions in block mode for automatic threat mitigation.
  4. Adopting cloud-delivered protection and real-time antivirus updates to counter rapidly evolving tactics.
  5. Utilizing QR code training simulations to educate employees about phishing methods.
  6. Verifying email authenticity by independently contacting senders using known email addresses.

Microsoft also advises using tools like Safe Links and Safe Attachments in Office 365 and leveraging browser defenses such as Microsoft Edge’s SmartScreen to block malicious sites.

Star Blizzard’s recent campaign highlights the evolving landscape of cyberthreats, emphasizing the need for continuous monitoring and awareness. Microsoft has pledged to notify targeted customers directly and share detailed threat intelligence to strengthen defenses against sophisticated adversaries like Star Blizzard.

As cyberwarfare tactics evolve, organizations across the globe must remain vigilant, adopt robust cybersecurity measures, and foster collaboration to mitigate these persistent threats effectively.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...