{"id":137093,"date":"2025-01-16T09:00:00","date_gmt":"2025-01-16T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=137093"},"modified":"2025-01-16T07:38:10","modified_gmt":"2025-01-16T15:38:10","slug":"new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/01\/16\/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts\/","title":{"rendered":"New Star Blizzard spear-phishing campaign targets WhatsApp accounts"},"content":{"rendered":"\n

In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard\u2019s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector. Star Blizzard\u2019s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia.<\/p>\n\n\n\n

In our last blog post about Star Blizzard<\/a>, we discussed how the threat actor targeted dozens of civil society organizations\u2014journalists, think tanks, and non-governmental organizations (NGOs)\u2014between January 2023 and August 2024 by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. Since October 3, 2024, Microsoft and the US Department of Justice have seized or taken down more than 180 websites related to that activity. While this coordinated action had a short-term impact on Star Blizzard\u2019s phishing operations, we noted at the time that after this threat actor\u2019s active infrastructure was exposed, they swiftly transitioned to new domains to continue their operations, indicating that the threat actor is highly resilient to operational disruptions.<\/p>\n\n\n\n

We assess the threat actor\u2019s shift to compromising WhatsApp accounts is likely in response to the exposure of their TTPs by Microsoft Threat Intelligence and other organizations, including national cybersecurity agencies. While this campaign appears to have wound down at the end of November, we are highlighting the new shift as a sign that the threat actor could be seeking to change its TTPs in order to evade detection.<\/p>\n\n\n\n

As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our information on Star Blizzard\u2019s latest activity to raise awareness of this threat actor\u2019s shift in tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. We also directly notify customers who have been targeted or compromised, providing them with the necessary information to help secure their environments.<\/p>\n\n\n\n

Targeting WhatsApp account data<\/h2>\n\n\n\n

Star Blizzard\u2019s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link. The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard\u2019s practice of impersonating known political\/diplomatic figures, to further ensure target engagement. The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.\u201d This code, however, is intentionally broken and will not direct the user towards any valid domain; this is an effort to coax the target recipient into responding.<\/p>\n\n\n

\"A
Figure 1. Star Blizzard initial spear-phishing email with broken QR code<\/em><\/figcaption><\/figure>\n\n\n\n

When the recipient responds, Star Blizzard sends a second email containing a Safe Links-wrapped t[.]ly<\/em> shortened link as the alternative link to join the WhatsApp group.<\/p>\n\n\n

\"A
Figure 2. Star Blizzard follow-on spear-phishing email with URL link<\/em><\/figcaption><\/figure>\n\n\n\n

When this link is followed, the target is redirected to a webpage asking them to scan a QR code to join the group. However, this QR code is actually used by WhatsApp to connect an account to a linked device and\/or the WhatsApp Web portal. This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.<\/p>\n\n\n

\"Screenshot
Figure 3. Malicious Star Blizzard phish attempt using WhatsApp linking QR code<\/em><\/figcaption><\/figure>\n\n\n\n

While this campaign was limited and appeared to have terminated at the end of November, it nevertheless marked a break in long-standing Star Blizzard TTPs and highlighted the threat actor\u2019s tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of their operations.<\/p>\n\n\n\n

Microsoft Threat Intelligence recommends that all email users belonging to sectors that Star Blizzard typically targets always remain vigilant when dealing with email, especially emails containing links to external resources. These targets are most commonly related to:<\/p>\n\n\n\n