Russian Spear-Phishing Attacks Targeted WhatsApp Accounts

In a Thursday analysis, Microsoft researchers highlighted new tactics adopted by the known Russian threat group, “Star Blizzard.” The group in a November campaign expanded its typical spear-phishing attack vector to both use and target WhatsApp accounts. 

Why It Matters: The campaign was limited and did not continue after November 2024, said Microsoft researchers. However, they said it was important to highlight the activity because it signals that the attackers are working to change their TTPs in order to avoid detection, particularly after some of its previous TTPs were exposed and affiliated internet domains seized by the U.S. government.

The Background: Star Blizzard is a Russian threat actor that since 2019 has impacted organizations in the U.S. and UK, as well as various NATO countries and countries neighboring Russia. Initially, the group targeted academia, defense, governmental organizations, NGOs, think tanks and politicians, but in 2022 it expanded its targeting to include defense-industrial targets, as well as U.S. Department of Energy facilities.

Attack Details: In November, Star Blizzard attackers sent spear-phishing emails that impersonated U.S. government officials and purported to ask targets to join a WhatsApp group related to “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” Interestingly, this initial email was used to engage targets, but the quick response (QR) code for joining the WhatsApp group was intentionally broken and didn’t point to a valid domain - instead, the message was an attempt to get recipients to respond. After the target followed up about the broken link, the threat actor sent a second email that asked them to scan a QR code to join the WhatsApp group.

“However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal,” said researchers. “This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.”

Why It Matters: The activity comes after the U.S. Department of Justice and Microsoft in October seized more than 180 websites related to Star Blizzard spear-phishing activity. Researchers with Microsoft said on Thursday they believed the threat actor’s more recent transition to compromising WhatsApp accounts is a likely response to the exposure of their tactics by security researchers. 

“While this coordinated action had a short-term impact on Star Blizzard’s phishing operations, we noted at the time that after this threat actor’s active infrastructure was exposed, they swiftly transitioned to new domains to continue their operations, indicating that the threat actor is highly resilient to operational disruptions,” said researchers.