After researchers and national cybersecurity agencies revealed key details of Russia-linked Star Blizzard threat actor in recent days, the group adds a new attack vector to its arsenal that targeted victims’ WhatsApp data.
Microsoft’s Threat Intelligence team spotted the campaign late last year, leveraging the topic of support to Ukrainian NGOs in the face of the ongoing war.
Star Blizzard, also tracked as Callisto, SEABORGIUM, or COLDRIVER, is run by Russia’s FSB or secret service officers, according to previous attribution. The group is famously known for its targeted spear-phishing campaigns against high profile targets in the U.S. and U.K., where they have targeted dozens of journalists, think tanks, and non-governmental organizations that support Ukraine and its allies.
Also read: Russia Backed Star Blizzard’s Infiltration Attempts in UK Elections Laid Bare
Star Blizzard Shifts Focus to WhatsApp Data
Historically, the threat actor is known to use phishing campaigns for initial infection. But detailed advisories from independent cybersecurity firms like Microsoft’s Threat Intelligence team and agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which exposed the TTPs of this threat actor has likely forced them to change its tradecraft to evade detection.
Star Blizzard has now modified it spear-phishing campaign to target the WhatsApp accounts of its victims rather than their computer data. This is the first time that the threat actor has adopted a new technique, researchers said.
The threat actor initiates contact via email, engaging targets before sending a follow-up email with a malicious link. The sender address impersonates a U.S. government official, consistent with Star Blizzard’s tactic of mimicking political or diplomatic figures to boost credibility.
The initial email includes a QR code claiming to direct users to a WhatsApp group focused on supporting Ukraine NGOs. However, the QR code is intentionally broken to prompt the recipient to respond. Upon response, the threat actor sends a second email containing a Safe Links-wrapped t[.]ly shortened link as an alternative to join the group.
Following this link redirects the target to a page instructing them to scan a QR code to join the group. In reality, the QR code connects the victim’s WhatsApp account to the threat actor’s device via WhatsApp Web. This grants the attacker access to the victim’s messages, enabling data exfiltration through browser plugins designed for exporting WhatsApp messages.
Microsoft noted that although the campaign ended in November 2024, people and organizations, especially those related to the government or diplomacy, defense, research and assistance to Ukraine in the ongoing conflict with Russia, need to be vigilant and educated of these change in tactics.
“We are sharing our information on Star Blizzard’s latest activity to raise awareness of this threat actor’s shift in tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity,” Microsoft said.
