Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A threat actor known as Star Blizzard is impersonating US government officials to lure victims and harvest their messages.
The Microsoft Threat Intelligence team has outlined the details of a Russian phishing campaign using WhatsApp to harvest the messages of their victims.
The threat actor – which Microsoft tracks as Star Blizzard, but it is also known as SEABORGIUM, the Callisto Group, TA446, and COLDRIVER – has a history of targeting journalists, think tanks, and non-governmental organisations. However, a joint operation by both Microsoft and the US Department of Justice took down more than 180 websites linked to its previous phishing campaigns late last year.
Now, though, Microsoft has observed the threat actor utilising invites to a WhatsApp group to access its target’s messages.
“Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link,” the Microsoft Threat Intelligence team said in a 16 January blog post.
Star Blizzard initiates contact with its victims by pretending to be a known US government official, inviting them to join a private WhatsApp group to discuss “non-governmental initiatives aimed at supporting Ukraine”.
“This platform will also serve as a means to coordinate the distribution of government-allocated funds for this purpose,” the initial email said. It also includes a QR code for the victim to click on; however, the code is broken – on purpose – to encourage further interaction when the victim reports the issue to the sender.
In the second email, Star Blizzard apologises for the issue and shares a “Safe Links-wrapped t[.]ly shortened link” hosting a second QR code.
“However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal,” Microsoft said.
“This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web,” Microsoft said.
According to Microsoft, while the campaign was limited and appeared to stop at the end of November, it nonetheless shows that Star Blizzard is willing to change up its tactics to achieve its aims.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
