In the wake of a major motion towards its infrastructure, the Kremlin-backed superior persistent risk (APT) actor Star Blizzard has pivoted to exploiting social messaging utility WhatsApp in its spear-phishing campaigns towards targets of curiosity to Russia’s intelligence companies, Microsoft has warned.
Microsoft has been scorching on the tail of Star Blizzard for a while, and late final yr its Digital Crimes Unit (DCU) obtained permission from a United States courtroom to conduct a major takedown operation towards nearly 70 of the group’s domains. Since October 2024, Microsoft and the US Department of Justice (DoJ) have seized or taken offline over 180 web sites utilized by Star Blizzard, which has had a major short-term impact on the APT’s potential to go about its nefarious enterprise.
This motion has already yielded a treasure trove of data for defenders to decide over, however in accordance to the Microsoft Threat Intelligence Center (MSTIC) the group has demonstrated outstanding resilience and has swiftly transitioned to new domains and methodology, together with the exploitation of WhatsApp.
“In mid-November 2024, Microsoft Threat Intelligence observed … Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group,” mentioned the MSTIC workforce.
“This is the primary time we’ve got recognized a shift in Star Blizzard’s longstanding techniques, strategies, and procedures (TTPs) to leverage a brand new entry vector.
“We assess the threat actor’s shift to compromising WhatsApp accounts is likely in response to the exposure of their TTPs by Microsoft Threat Intelligence and other organisations, including national cybersecurity agencies. While this campaign appears to have wound down at the end of November, we are highlighting the new shift as a sign that the threat actor could be seeking to change its TTPs in order to evade detection,” they mentioned.
In the WhatsApp campaign, Star Blizzard operatives first made contact with their targets through electronic mail to have interaction them, in the guise of a senior US authorities official. This electronic mail contained a fast response (QR) code that purported to direct the recipient to be part of a WhatsApp group to focus on non-governmental organisation (NGO) work in Ukraine. However, in an try to coax their victims into responding, the QR code was deliberately non-functional.
If the unfortunate goal did reply, Star Blizzard then wrote again with a wrapped, shortened hyperlink apparently directing them to the WhatsApp group. This despatched the targets to an online web page containing one other QR code for them to scan to be part of the group.
In a last little bit of subterfuge, this second QR code was not a hyperlink to the group however as a substitute utilized by WhatsApp to join an account to the WhatsApp Web portal, which is used legitimately to allow folks to entry their accounts on a desktop PC as a substitute of their smartphone, ought to they need.
In scanning this second QR the victims in truth gave Star Blizzard full entry to their WhatsApp accounts, from the place the cyber spooks had been ready to learn messages and exfiltrate information utilizing browser plugins.
MSTIC mentioned that the campaign was restricted in its scope and seems to have ended on the finish of November 2024. However, mentioned the analysis workforce, it marks a transparent break in Star Blizzard’s tradecraft, and highlights its tenacity.
Typical focusing on
MSTIC is advising anyone working in sectors that Star Blizzard usually targets to be further vigilant when coping with sudden or unsolicited electronic mail from trusted or new contacts.
However, abnormal customers ought to have little to be involved about from the APT for, as ever, Star Blizzard’s campaign targets are mostly people holding high-level positions in authorities or the diplomatic group, defence and worldwide relations consultants, and “sources of assistance” to Ukraine.
As uncovered by Computer Weekly in 2022, Star Blizzard beforehand hacked, compromised, and leaked emails and paperwork belonging to a former head of MI6, alongside different members of a secretive right-wing community devoted to campaigning for an excessive arduous Brexit.
This information dump additionally uncovered the group’s makes an attempt to unfold conspiracies concerning the origins of SARS-CoV2 and affect UK authorities coverage on science and expertise throughout the Covid-19 pandemic.
