Ethical Hacking News
Russia-linked APT group Star Blizzard has shifted its tactics in a spear-phishing campaign targeting WhatsApp accounts, marking a significant development in the ongoing threat landscape of cybercrime. The group's persistence in targeting sensitive data and information raises concerns about the need for enhanced security measures to protect against such attacks.
Star Blizzard, a Russia-linked APT group, has launched a spear-phishing campaign targeting WhatsApp accounts in November 2024. The group uses persistent phishing and credential theft campaigns to breach targets, with a primary objective of gaining access to sensitive data and information. The campaign involves sending emails with malicious links that redirect the victim to a webpage prompting them to scan a QR code, allowing the threat actor to exfiltrate WhatsApp messages from the account. Experts advise vigilance for email users in sectors commonly targeted by Star Blizzard, especially when handling emails with external links.
Russia-linked APT group Star Blizzard, also known by its aliases "Callisto", "Seaborgium", "ColdRiver", and "TA446", has recently been observed in a spear-phishing campaign targeting WhatsApp accounts. This new campaign marks a shift in the tactics employed by the group, which has been active since at least 2015, primarily targeting NATO countries, but also expanding its reach to other regions including the Baltics, Nordics, and Eastern Europe.
According to Microsoft researchers, Star Blizzard's latest spear-phishing campaign began in November 2024. The group leverages familiar tactics in an effort to evade detection, using a combination of persistent phishing and credential theft campaigns to breach targets. Their primary objective is to gain access to sensitive data and information, often targeting government officials, military personnel, journalists, and think tanks.
In this latest campaign, Star Blizzard sends initial emails to their targets, purportedly directing them to join a WhatsApp group focused on supporting Ukrainian NGOs. The email contains a QR code that prompts the recipient to respond to the phishing attempt. Subsequent emails contain malicious links with shortened URLs wrapped in Safe Links, which redirect the victim to a webpage prompting them to scan a QR code. However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal. This means that if the target follows the instructions on this page, the threat actor can gain access to their messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.
Experts at Microsoft advise vigilance for email users in sectors commonly targeted by Star Blizzard, especially when handling emails with external links. The group's persistence in spear-phishing campaigns and shift in tactics demonstrate their adaptability and continued threat posture.
This latest development highlights the ongoing threat landscape of cybercrime and the importance of staying informed about emerging threats. As the security landscape continues to evolve, it is crucial for organizations and individuals alike to remain vigilant and implement robust security measures to protect against such targeted attacks.
Related Information:
https://securityaffairs.com/173165/apt/russia-star-blizzard-targets-whatsapp-accounts.html
Published: Fri Jan 17 00:56:23 2025 by llama3.2 3B Q4_K_M
