Ethical Hacking News
Russian Star Blizzard Targets WhatsApp Accounts in New Spear-Phishing Campaign
Star Blizzard, a Russia-linked threat actor, has shifted its tradecraft to target victims' WhatsApp accounts in a new spear-phishing campaign.The campaign targets individuals from government and diplomacy sectors, including current and former officials, researchers in international relations focusing on Russia, and those providing assistance to Ukraine.Star Blizzard's new approach uses WhatsApp accounts as a vector for spear-phishing campaigns, allowing them to gain unauthorized access to victims' messages and exfiltrate data via browser add-ons.The shift in tradecraft signals an attempt by Star Blizzard to evade detection and capitalize on increased security measures implemented by popular messaging apps.Experts advise individuals in targeted sectors to exercise caution when handling emails containing links to external sources and implement robust security protocols to safeguard sensitive information.
The threat landscape continues to evolve, with malicious actors continually adapting their tactics to evade detection and exploit vulnerabilities. In a recent development, the Russian threat actor known as Star Blizzard has shifted its tradecraft, targeting victims' WhatsApp accounts in a new spear-phishing campaign. This departure from its longstanding tradecraft signals a likely attempt to evade detection and capitalize on the increased security measures implemented by popular messaging apps.
Star Blizzard, formerly known as SEABORGIUM, is a Russia-linked threat activity cluster that has been active since at least 2012. It is also tracked under various monikers, including Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057. This threat actor has been associated with credential harvesting campaigns, making it a significant player in the world of cybersecurity threats.
The new spear-phishing campaign, which appears to have been limited and wound down at the end of November 2024, targets individuals from government and diplomacy sectors, including both current and former officials. Additionally, the targets encompass those involved in defense policy, researchers in international relations focusing on Russia, and those providing assistance to Ukraine in relation to the war with Russia.
According to a report shared by Microsoft Threat Intelligence team, the spear-phishing email campaign begins with a message that purports to be from a U.S. government official, lending it a veneer of legitimacy and increasing the likelihood that the victim would engage with them. The email contains a quick response (QR) code that urges the recipients to join a supposed WhatsApp group on "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." However, the QR code is deliberately broken so as to trigger a response from the victim.
Should the email recipient reply, Star Blizzard sends a second message, asking them to click on a shortened link to join the WhatsApp group, while apologizing for the inconvenience caused. When this link is followed, the target is redirected to a web page asking them to scan a QR code to join the group. However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal.
In the event the target follows the instructions on the site ("aerofluidthermo[.]org"), the approach allows the threat actor to gain unauthorized access to their WhatsApp messages and even exfiltrate the data via browser add-ons. This indicates that Star Blizzard has shifted its tradecraft, using WhatsApp accounts as a new vector for spear-phishing campaigns.
This campaign marks a break in long-standing Star Blizzard TTPs and highlights the threat actor's tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of its operations. Experts advise individuals belonging to sectors targeted by Star Blizzard to exercise caution when handling emails containing links to external sources.
In response to this new threat, cybersecurity experts emphasize the importance of staying vigilant and taking proactive measures to protect against spear-phishing campaigns. This includes verifying the authenticity of incoming messages, being cautious of suspicious links, and implementing robust security protocols to safeguard sensitive information.
As the threat landscape continues to evolve, it is essential for individuals and organizations to remain informed about emerging threats and take necessary precautions to mitigate their impact. In this context, the Microsoft Threat Intelligence team's report highlights the importance of staying vigilant and adapting security measures in response to shifting threat actors and tactics.
In conclusion, Star Blizzard's new spear-phishing campaign against WhatsApp accounts represents a significant departure from its longstanding tradecraft. This shift signals a likely attempt to evade detection and capitalize on the increased security measures implemented by popular messaging apps. As cybersecurity experts continue to monitor this threat actor, it is essential for individuals and organizations to remain informed about emerging threats and take necessary precautions to protect against spear-phishing campaigns.
Related Information:
Published: Thu Jan 16 21:40:19 2025 by llama3.2 3B Q4_K_M
