Full Report
Star Blizzard, known to be part of Russia’s FSB, moved schemes to the messaging platform last November. The post Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Star Blizzard
## Attribution & Identity
* **Identification:** State-sponsored Russian threat actor group.
* **Association:** Believed to be an operational unit within Russia's **FSB's Center 18**.
* **Aliases:** Not explicitly listed, but context suggests it is the name used by Microsoft threat intelligence.
## Activity Summary
Star Blizzard has recently shifted its attack strategies from relying primarily on email phishing to targeting **WhatsApp accounts**. A campaign observed in mid-November 2024 involved sending emails (purportedly from a U.S. government official) containing a QR code related to supporting Ukrainian NGOs. When the initial QR code failed, targets were prompted to respond for an alternative link. This follow-up link led to a phishing website designed to hijack the victim's WhatsApp session using the account-linking QR code feature. This change in tactics appears to be a response to previous actions taken against the group's infrastructure (including over 180 websites tied to the group being shut down by Microsoft and the DOJ in October 2024). The specific WhatsApp campaign mentioned in the article stopped at the end of November 2024.
## Tactics, Techniques & Procedures
- **Phishing Campaigns:** Traditionally relied heavily on email phishing.
- **QR Code Usage:** Used QR codes in initial emails to direct victims.
- **Social Engineering:** Used lures related to supporting Ukrainian NGOs, pretending to be from a U.S. government official.
- **Malicious Link Delivery:** Used shortened links in follow-up communications.
- **Account Takeover (WhatsApp):** Exploited WhatsApp's account-linking QR code feature to gain unauthorized access to victims' WhatsApp messages via the web messaging platform.
- **Adaptability/Resilience:** Quickly transitioned to new domains following the disruption of prior infrastructure.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the provided text.
## Targeting
* **Sectors:** Government, diplomacy, defense policy, international relations research (particularly concerning Russia), civil society organizations (journalists, think tanks, NGOs).
* **Geography:** Not explicitly detailed for the recent WhatsApp campaign, though targeting relates to Russia/Ukraine dynamics.
* **Victims:** Individuals and organizations relevant to government, diplomacy, defense policy, and international relations research, as well as civil society members. Users with roles in government or diplomacy (incumbent and former) are specifically warned to be careful.
## Tools & Infrastructure
* **Malware Families Used:** Not specified in the text provided.
* **Infrastructure (C2, domains, IPs):** Mentioned using malicious shortened links leading to phishing websites that mimic WhatsApp's account-linking process. Over 180 associated websites were shut down in October 2024, forcing the group to use new domains. (No specific URLs or IPs are defensible/listed in the text).
## Implications
Star Blizzard demonstrates high adaptability by shifting quickly to new attack vectors (WhatsApp) immediately following disruption of their traditional phishing infrastructure. Their successful move to compromise WhatsApp sessions represents an escalation in targeting communication privacy, likely an attempt to evade established detection mechanisms focused on email traffic. This highlights the ongoing threat posed by sophisticated Russian state-sponsored actors adapting to defensive measures.
## Mitigations
- Be vigilant about messages that link to external networks, whether via email or messaging applications.
- Exercise extreme caution with QR codes or links received that purportedly direct users to join new collaboration groups or access sensitive information.
- Users in government, diplomacy, and related research fields must be especially careful regarding unsolicited communication offering external links.