WhatsApp Abused in Star Blizzard’s Targeted Spear-Phishing Operation

Category: Threat Actor Activity | Industries: Defense, Government | Source: Microsoft

Russian nation-state actor Star Blizzard has incorporated WhatsApp into phishing campaigns targeting government officials, diplomats, defense policy researchers, and organizations involved in Ukraine aid efforts. Identified by Microsoft Threat Intelligence, the campaign, observed in mid-November 2024 and concluding at the end of the month, showcases Star Blizzard’s resilience following disruptions to its operations in October 2024, when 180 domains used by the group were seized or taken down by Microsoft and the U.S. Department of Justice. The campaign begins with a phishing email impersonating a U.S. government official, an established tactic of Star Blizzard to ensure credibility and increase engagement. Microsoft noted the threat actors’ continued "practice of impersonating known political/diplomatic figures" to boost target engagement.

The initial email includes a broken QR code and claims to offer an invitation to join a WhatsApp group discussing non-governmental initiatives supporting Ukraine. When recipients respond for clarification, Star Blizzard sends a second email containing a shortened link that redirects to a fake WhatsApp webpage. This second webpage prompts the target to scan a QR code that, instead of joining a WhatsApp group, links the target’s WhatsApp account to a device controlled by the attackers. Once connected, Star Blizzard can exfiltrate WhatsApp messages using browser plugins designed for exporting account data. Microsoft explains, "This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web."

Microsoft urges vigilance among individuals in frequently targeted sectors. Users are advised to scrutinize unsolicited emails, particularly those containing QR codes or links, and verify authenticity by contacting senders through known email addresses. Additionally, checking the "Linked Devices" section in WhatsApp can help users detect and disconnect unauthorized devices. While the campaign appears to have ended, the shift in tactics emphasizes the importance of remaining alert against evolving attack methods.