- Microsoft observed Star Blizzard engaging in a phishing attack
- The group goes after the WhatsApp accounts of diplomats and government workers involved in the war between Ukraine and Russia.
- Phishing attack uses QR codes
A Russian state-sponsored threat actor has been discovered engaging in a unique cyber campaign aimed at supporting the country’s war effort against Ukraine.
Researchers at Microsoft Threat Intelligence revealed that the Star Blizzard group was recently seen phishing WhatsApp accounts belonging to diplomats, government officials, defense policy or international relations researchers, and others who, in any capacity, work on the war between Russia and Russia. Ukraine.
The campaign most likely began in mid-November 2024, and Microsoft warned that all users should always remain vigilant when handling email, especially those that contain links to external resources.
Exfiltrating WhatsApp data
The attack begins with an email posing as a US government official. The body of the email discusses the latest non-governmental initiatives aimed at supporting Ukrainian NGOs and provides a QR code for a private WhatsApp group discussing these issues.
The QR code is invalid, investigators said, speculating that this could have been deliberate, so that the victim would reach out and ask for a new code. The tracking email provides a wrapped secure link.[.]Slightly shortened link leading to a website with a separate QR code. This, however, connects the WhatsApp account to a separate device, owned by the attackers.
“This means that if the target follows the instructions on this page, the threat actor can gain access to messages from their WhatsApp account and have the ability to extract this data using existing browser add-ons, which are designed to export messages of WhatsApp from an account. It is accessed through WhatsApp Web,” Microsoft researchers said in their article.
The attack vector is relatively new, they added, speculating that Star Blizzard was forced to adapt after being extensively analyzed by the cybersecurity community: “This is the first time we have identified a change in tactics, techniques and procedures (TTP). ) of Star Blizzard. ) to take advantage of a new access vector,” Redmond concluded.
