- Microsoft observed Star Blizzard engaging in spear-phishing attack
- The group is going after WhatsApp accounts of diplomats and government workers engaged in the Ukraine-Russia war
- The phishing attack uses QR codes
A Russian state-sponsored threat actor has been spotted engaging in a unique cyber-campaign aimed at supporting the country’s war effort against Ukraine.
Researchers from Microsoft Threat Intelligence revealed the Star Blizzard group was recently seen phishing for WhatsApp accounts belonging to diplomats, government officials, defense policy or international relations researchers, and others who, in any capacity, work on the Russia - Ukraine war.
The campaign most likely started in mid-November 2024, with Microsoft warning all users always remain vigilant when dealing with email, especially those containing links to external resources.
Exfiltrating WhatsApp data
The attack starts with an email impersonating a US government official. The body of the email discusses the latest non-governmental initiatives aimed at supporting Ukraine NGOs, and provides a QR code for a private WhatsApp group talking about these matters.
The QR code is invalid, the researchers said, speculating that this might have been deliberate, to get the victim to reach out and ask for a new code. The follow-up email then provides a Safe Link wrapped t[.]ly shortened link that leads to a website with a separate QR code. This one, however, connects the WhatsApp account to a separate device, owned by the attackers.
"This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web,” Microsoft’s researchers said in their write-up.
The attack vector is relatively new, they added, speculating that Star Blizzard was forced to adapt after being thoroughly analyzed by the cybersecurity community: "This is the first time we have identified a shift in Star Blizzard's longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector," Redmond concluded.
You might also like
- Android malware poses as top apps to steal data — Google, Instagram, WhatsApp all spoofed
- Here's a list of the best antivirus tools on offer
- These are the best endpoint protection tools right now
