Full Report
The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection. "Star Blizzard's targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations
Analysis Summary
# Threat Actor: Star Blizzard
## Attribution & Identity
Attributed to Russia.
**Known Aliases:** SEABORGIUM (formerly), Blue Callisto, BlueCharlie (or TAG-53), Calisto (or Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057.
## Activity Summary
Star Blizzard has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, suggesting a shift in tactics potentially due to heightened scrutiny. The campaign appears to have been limited and concluded by the end of November 2024. Previously, the actor was known for credential harvesting campaigns, including utilizing Evilginx for adversary-in-the-middle (AiTM) attacks to steal credentials and 2FA codes. Activity dates back to at least 2012. The group was recently impacted by the seizure of over 180 domains used between January 2023 and August 2024 by the US DoJ and Microsoft.
## Tactics, Techniques & Procedures
- Spear-phishing via emails purporting to be from US government officials.
- Using QR codes in emails to initially engage targets, which leads to a secondary link upon reply.
- Redirecting victims to a malicious website (e.g., `aerofluidthermo[.]org`) masquerading as a WhatsApp group invitation page.
- Exploiting WhatsApp's linked device/WhatsApp Web functionality via a QR code scan to gain unauthorized access to the victim's WhatsApp account and exfiltrate data, potentially using browser add-ons.
- Previously used malicious links embedded in documents to redirect to Evilginx-powered pages for credential and 2FA harvesting (AiTM attacks).
- Utilizing email marketing platforms like HubSpot and MailerLite to mask the true sender addresses.
## Targeting
- **Sectors:** Government and diplomacy (incumbent and former position holders), defense policy, international relations researchers focusing on Russia, and sources providing assistance to Ukraine related to the war.
- **Geography:** Not explicitly detailed, but targets are associated with US government communications and Ukraine conflict assistance.
- **Victims:** Government officials, defense policymakers, international relations researchers, journalists, think tanks, and non-governmental organizations (NGOs).
## Tools & Infrastructure
- **Malware families used:** Not explicitly named in this campaign, but previously associated with Evilginx for AiTM attacks.
- **Infrastructure (C2, domains, IPs):** Used email marketing platforms (HubSpot, MailerLite). A specific redirection URL mentioned is `aerofluidthermo[.]org`. Previously used over 180 domains seized by authorities.
## Implications
Star Blizzard demonstrates tenacity and an evolving tradecraft, shifting from traditional credential harvesting to direct compromise of encrypted messaging applications (WhatsApp) to maintain access to sensitive information, even after significant infrastructure disruption. This new approach bypasses traditional perimeter defenses focused on email authentication endpoints.
## Mitigations
- Individuals in targeted sectors must exercise extreme caution regarding emails containing links to external sources, especially those demanding QR code scans or purporting to link to communication platforms.
- Be wary of emails, even those appearing legitimate (e.g., from US government officials), asking users to engage via QR codes or external links to join groups, particularly those related to sensitive geopolitical topics like Ukraine support.
- Harden protocols around verifying third-party/linked devices for communication applications like WhatsApp.