Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

updated Star Blizzard, a prolific phishing crew backed by the Russian Federal Security Service (FSB), conducted a new campaign aiming to compromise WhatsApp accounts and gain access to their messages and data, according to Microsoft.

The group's credential phishing expeditions typically go after government, diplomatic, and defense policy targets — specifically with an eye on officials and researchers whose work involves Russian policy and assistance to Ukraine. This one, we're told, was unique in that it attempted to compromise WhatsApp accounts via emails inviting victims to join a fake WhatsApp group.

"This is the first time we have identified a shift in Star Blizzard's longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector," Redmond disclosed in new threat intelligence on Thursday.

Star Blizzard is also tracked as Callisto Group and Coldriver. This particular campaign, similar to earlier efforts, begins with an email impersonating a US government official. What's new is that it includes a QR code inviting recipients to join a WhatsApp group on "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." 

According to Microsoft, the QR code provided is deliberately invalid in the hopes that the recipients will respond directly to the email, at which point Star Blizzard has the victim on its hook.

When the target responds, the FSB hackers send out a second email with a Safe Link wrapped t[.]ly shortened link that purports to be an alternative link to join the group. This new link, when clicked, redirects victims to a website that asks them to scan a QR code to join the WhatsApp group.

"However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal," Redmond warned. "This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web."

• DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks
• Russian cyber snoops linked to massive credential-stealing campaign
• Google TAG: Kremlin cyber spies move into malware with a custom backdoor
• Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Microsoft Threat Intelligence team observed the activity in mid-November and noted that the campaign seemed to wind down by the end of the month. This illustrates Star Blizzard's "tenacity" in its phishing espionage efforts to steal sensitive information from high-value targets, Redmond said.

The shift to WhatsApp accounts is likely due to efforts by Microsoft and other organizations, including national cybersecurity agencies, to expose the FSB's typical tactics, techniques, and procedures (TTPs), prompting Star Blizzard to adapt by shifting to a new method of accessing targets.

In October, the US Justice Department and Microsoft disclosed that they had obtained court orders to seize websites used by Star Blizzard in phishing campaigns targeting US government agencies, think tanks, and other victims.

Since October 3, the DOJ and Redmond have seized or taken down more than 180 websites related to that activity, we're told. 

"While this coordinated action had a short-term impact on Star Blizzard's phishing operations, we noted at the time that after this threat actor's active infrastructure was exposed, it swiftly transitioned to new domains to continue its operations, indicating that the threat actor is highly resilient to operational disruptions," Microsoft said today. ®

Updated to add at 1650 UTC on January 17, 2025

Microsoft, in response to The Register's questions, confirmed that this phishing campaign attempted to net Star Blizzard's typical targets, but declined to say how many phony WhatsApp group messages were sent.

"The targets primarily belong to the government and diplomacy sectors, including both current and former officials," said Sherrod DeGrippo, director of threat intelligence strategy.

"Additionally, the targets encompass individuals involved in defense policy, researchers in international relations focusing on Russia, and those providing assistance to Ukraine in relation to the war with Russia."

This particular attack began in January 2023 and continued through November 2024. "This threat actor is currently active, attempting other campaigns," DeGrippo added. "We are blocking this activity when we detect it."