Ethical Hacking News
A phishing crew known as Star Blizzard has been identified as behind a recent campaign aimed at compromising WhatsApp accounts. The group's tactics have shifted from targeting government and diplomatic officials to attempting to gain access to WhatsApp accounts via emails inviting victims to join fake groups. According to Microsoft, the new campaign marks a significant escalation of the group's tactics, as it marks the first time they have attempted to compromise WhatsApp accounts.
The phishing crew Star Blizzard has shifted its tactics from targeting government officials to attempting to gain access to WhatsApp accounts via fake groups. A new campaign involves an email impersonating a US government official with a QR code that invites recipients to join a fake group, but the link is invalid and redirects to a website asking for QR code scanning. Clicking on the QR code can gain access to the target's WhatsApp account messages and allow exfiltration of data using existing browser plugins. The campaign marked the first time Star Blizzard has attempted to compromise WhatsApp accounts, highlighting their resilience in adapting to operational disruptions. The shift in tactics is likely due to efforts by Microsoft and other organizations to expose the FSB's TTPs, prompting Star Blizzard to adapt. Despite being disrupted by law enforcement, Star Blizzard has quickly transitioned to new domains, indicating their high resilience to operational disruptions.
Microsoft has identified a phishing crew, known as Star Blizzard, which is behind a recent campaign aimed at compromising WhatsApp accounts. The group's tactics have shifted from targeting government and diplomatic officials to attempting to gain access to WhatsApp accounts via emails inviting victims to join fake groups.
According to the Microsoft Threat Intelligence team, the new campaign begins with an email impersonating a US government official. The email includes a QR code that invites recipients to join a WhatsApp group on "the latest non-governmental initiatives aimed at supporting Ukraine NGOs." However, this QR code is deliberately invalid in the hopes that the recipients will respond directly to the email.
When the target responds, the FSB hackers send out a second email with a Safe Link wrapped shortened link that purports to be an alternative link to join the group. This new link, when clicked, redirects victims to a website that asks them to scan a QR code to join the WhatsApp group. However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal.
If the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins designed for exporting WhatsApp messages from an account accessed via WhatsApp Web. This is a significant escalation of the group's tactics, as it marks the first time they have attempted to compromise WhatsApp accounts.
The Microsoft Threat Intelligence team observed the activity in mid-November and noted that the campaign seemed to wind down by the end of the month. However, this shift in tactics has highlighted the resilience of Star Blizzard to operational disruptions. The group had previously been tracked as Callisto Group and Coldriver, and their phishing efforts have been attributed to the Russian Federal Security Service (FSB).
The shift to WhatsApp accounts is likely due to efforts by Microsoft and other organizations, including national cybersecurity agencies, to expose the FSB's typical tactics, techniques, and procedures (TTPs). This has prompted Star Blizzard to adapt by shifting to a new method of accessing targets. In October, the US Justice Department and Microsoft disclosed that they had obtained court orders to seize websites used by Star Blizzard in phishing campaigns targeting US government agencies, think tanks, and other victims.
Since then, more than 180 websites related to the group's activities have been seized or taken down. However, the FSB hackers have swiftly transitioned to new domains to continue their operations, indicating that the threat actor is highly resilient to operational disruptions.
The coordinated action by Microsoft and the US Justice Department had a short-term impact on Star Blizzard's phishing operations, but it has also highlighted the importance of continued vigilance in the fight against cybercrime. As the threat landscape continues to evolve, it is essential for individuals and organizations to stay informed about the latest tactics and techniques used by malicious actors.
In addition to the Star Blizzard campaign, the FSB has been linked to other notable phishing efforts, including a recent incident involving the use of malware with a custom backdoor. The group has also been implicated in credential-stealing campaigns targeting high-value targets, including government officials and researchers whose work involves Russian policy and assistance to Ukraine.
The involvement of the FSB in these phishing efforts underscores the agency's willingness to use cybercrime as a tool for espionage and information gathering. As the global cybersecurity landscape continues to evolve, it is essential for governments and organizations to stay vigilant and adapt their security measures to address the ever-changing threat landscape.
In conclusion, the Star Blizzard campaign highlights the resilience of malicious actors in adapting to changing circumstances and the importance of continued vigilance in the fight against cybercrime. As the threat landscape continues to evolve, it is essential for individuals and organizations to stay informed about the latest tactics and techniques used by malicious actors.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2025/01/16/russia_star_blizzard_whatsapp/
Published: Thu Jan 16 15:12:25 2025 by llama3.2 3B Q4_K_M
