- Microsoft observed Star Blizzard engaging in spear phishing attack
- Group attacks WhatsApp accounts of diplomats and officials involved in Ukraine-Russia war
- Phishing attack uses QR codes
A Russian state-sponsored threat actor has been spotted embarking on a unique cyber campaign aimed at supporting the country’s war effort against Ukraine.
Microsoft Threat Intelligence researchers revealed that the Star Blizzard group was recently seen phishing WhatsApp accounts belonging to diplomats, government officials, defense policy or international relations researchers, and others who , in whatever capacity, are working on the Russia-Ukraine war.
The campaign likely began in mid-November 2024, with Microsoft warning that all users always remain vigilant when dealing with emails, especially those containing links to external resources.
WhatsApp data exfiltration
The attack begins with an email impersonating a US government official. The body of the email discusses the latest non-governmental initiatives to support Ukrainian NGOs and provides a QR code for a private WhatsApp group discussing these issues.
The QR code is invalid, the researchers said, speculating that this may have been deliberate, to trick the victim into reaching out and asking for a new code. The tracking email then provides a secure wrapped link[.]Shortened ly link that leads to a website with a separate QR code. This, however, connects the WhatsApp account to a separate device, owned by the attackers.
“This means that if the target follows the instructions on this page, the threat actor can access messages from their WhatsApp account and have the ability to exfiltrate this data using existing browser plugins, designed to export messages WhatsApp from an account accessed via WhatsApp Web,” Microsoft researchers said in their paper.
The attack vector is relatively new, they added, speculating that Star Blizzard was forced to adapt after being analyzed in depth by the cybersecurity community: “This is the first time we have identified a change in Star Blizzard’s long-standing Tactics, Techniques, and Procedures (TTP). ) to exploit a new access vector,” concluded Redmond.
