In the wake of a significant action against its infrastructure, the Kremlin-backed advanced persistent threat (APT) actor Star Blizzard has pivoted to exploiting social messaging application WhatsApp in its spear-phishing campaigns against targets of interest to Russia’s intelligence agencies, Microsoft has warned.
Microsoft has been hot on the tail of Star Blizzard for some time, and late last year its Digital Crimes Unit (DCU) received permission from a United States court to conduct a significant takedown operation against almost 70 of the group’s domains. Since October 2024, Microsoft and the US Department of Justice (DoJ) have seized or taken offline over 180 websites used by Star Blizzard, which has had a significant short-term effect on the APT’s ability to go about its nefarious business.
This action has already yielded a treasure trove of information for defenders to pick over, but according to the Microsoft Threat Intelligence Center (MSTIC) the group has demonstrated remarkable resilience and has swiftly transitioned to new domains and methodology, including the exploitation of WhatsApp.
“In mid-November 2024, Microsoft Threat Intelligence observed … Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group,” said the MSTIC team.
“This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector.
“We assess the threat actor’s shift to compromising WhatsApp accounts is likely in response to the exposure of their TTPs by Microsoft Threat Intelligence and other organisations, including national cybersecurity agencies. While this campaign appears to have wound down at the end of November, we are highlighting the new shift as a sign that the threat actor could be seeking to change its TTPs in order to evade detection,” they said.
In the WhatsApp campaign, Star Blizzard operatives first made contact with their targets via email to engage them, in the guise of a senior US government official. This email contained a quick response (QR) code that purported to direct the recipient to join a WhatsApp group to discuss non-governmental organisation (NGO) work in Ukraine. However, in an attempt to coax their victims into responding, the QR code was intentionally non-functional.
If the unlucky target did respond, Star Blizzard then wrote back with a wrapped, shortened link apparently directing them to the WhatsApp group. This sent the targets to a web page containing another QR code for them to scan to join the group.
In a final bit of subterfuge, this second QR code was not a link to the group but instead used by WhatsApp to connect an account to the WhatsApp Web portal, which is used legitimately to enable people to access their accounts on a desktop PC instead of their smartphone, should they wish.
In scanning this second QR the victims in fact gave Star Blizzard full access to their WhatsApp accounts, from where the cyber spooks were able to read messages and exfiltrate data using browser plugins.
MSTIC said that the campaign was limited in its scope and appears to have ended at the end of November 2024. However, said the research team, it marks a clear break in Star Blizzard’s tradecraft, and highlights its tenacity.
Typical targeting
MSTIC is advising anybody working in sectors that Star Blizzard typically targets to be extra vigilant when dealing with unexpected or unsolicited email from trusted or new contacts.
However, ordinary users should have little to be concerned about from the APT for, as ever, Star Blizzard’s campaign targets are most commonly individuals holding high-level positions in government or the diplomatic community, defence and international relations experts, and “sources of assistance” to Ukraine.
As exposed by Computer Weekly in 2022, Star Blizzard previously hacked, compromised, and leaked emails and documents belonging to a former head of MI6, alongside other members of a secretive right-wing network devoted to campaigning for an extreme hard Brexit.
This data dump also exposed the group’s attempts to spread conspiracies about the origins of SARS-CoV2 and influence UK government policy on science and technology during the Covid-19 pandemic.
