Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
- Microsoft has observed Star Blizzard engaged in a spear-phishing attack
- The group monitors the WhatsApp accounts of diplomats and government workers engaged in the Ukraine-Russia war
- The phishing attack uses QR codes
A Russian state-sponsored threat actor has been seen engaging in a unique cyber-campaign aimed at supporting the country’s war effort against Ukraine.
The researchers from Microsoft Threat intelligence revealed The Star Blizzard group was recently seen phishing for WhatsApp accounts belonging to diplomats, government officials, defense policy or international relations researchers, and others who, in any capacity, are working on the Russia-Ukraine war.
The campaign probably started in mid-November 2024, with Microsoft warning that all users remain vigilant when it comes to emails, especially those containing links to external resources.
WhatsApp data exfiltration
The attack began with an email impersonating a US government official. The body of the email discusses the latest non-governmental initiatives aimed at supporting Ukrainian NGOs, and provides a QR code for a private one. WhatsApp group that talked about these matters.
The QR code is invalid, the researchers said, speculating that this may have been deliberate, to get the victim to reach out and request a new code. The follow-up email then provides a Safe Link packed t[.]a restricted link leading to a website with a separate QR code. This, however, connects the WhatsApp account to a separate device, owned by the attackers.
“This means that if the target follows the instructions on this page, the threat actor can access the messages in their WhatsApp account and have the ability to exfiltrate this data using existing browser plugins, which are designed to export WhatsApp messages from an account accessed via WhatsApp Web,” Microsoft researchers said in their write-up.
The attack vector is relatively new, they added, speculating that Star Blizzard was forced to adapt after being thoroughly analyzed by the cybersecurity community: “This is the first time we have identified a change in Star Blizzard’s tactics, techniques and procedures (TTP) to exploit a new access vector,” Redmond concluded.
