Full Report
Microsoft highlighted a new Star Blizzard campaign targeting WhatsApp accounts, as the group adapts its TTPs following the takedown of its infrastructure by law enforcement
Analysis Summary
# Threat Actor: Star Blizzard
## Attribution & Identity
* **Attribution:** Russian nation-state group.
* **Known Aliases and Associations:** No other aliases or associated groups explicitly mentioned in the provided context, other than being a "cyber espionage group."
## Activity Summary
Star Blizzard was observed by Microsoft Threat Intelligence undertaking a social engineering campaign in mid-November 2024. This campaign specifically targeted the WhatsApp accounts of individuals in government and policy-related positions, focusing on those involved in international relations concerning Russia. This shift to targeting WhatsApp appears to be a response to the October 2024 takedown of over 100 of the group's websites by Microsoft in coordination with the US government.
## Tactics, Techniques & Procedures
- Social engineering campaign targeting WhatsApp accounts.
- **Historical TTPs:** The group has a history of established, but shifting, TTPs. (Specific detailed TTPs beyond the primary method were truncated, but the shift itself is notable.)
- **MITRE ATT&CK IDs:** Not explicitly mentioned.
## Targeting
- **Sectors:** Government and policy-related positions.
- **Geography:** Implied focus on regions/individuals concerned with international relations pertaining to Russia.
- **Victims:** Individuals working in government and policy-related positions, particularly concerning international relations and Russia. (No specific organization names mentioned.)
## Tools & Infrastructure
- **Malware Families Used:** Not specified in the provided text chunk, beyond the final objective of compromising WhatsApp accounts.
- **Infrastructure:** The group recently had a large portion of its infrastructure (over 100 websites) taken down by Microsoft and the US government in October 2024. The new campaign is utilizing social engineering attempts via WhatsApp, implying a reliance on or pivot towards messaging platforms for initial access.
## Implications
The group demonstrated adaptability by shifting its primary vector (from infrastructure-based operations to WhatsApp-based social engineering) quickly following a significant infrastructure disruption, indicating persistence and a continued focus on high-value intelligence targets related to Russian international policies.
## Mitigations
- Users in government and policy roles, especially those handling international relations involving Russia, should be highly cautious of social engineering attempts targeting their WhatsApp accounts.
- Organizations should ensure personnel are trained to recognize and report social engineering attempts delivered via messaging platforms.
- Defence should account for the actor's demonstrated ability to pivot TTPs following disruption.