Russian State-Linked Hackers Target WhatsApp Accounts, Warns Microsoft

Microsoft has outlined a new attack vector being exploited by Russian state-linked hackers, known as “Star Blizzard” (also sometimes known as Seaborgium, Coldriver or Callisto Group).

In a blog post last week, the tech giant noted that in mid-November 2024, Microsoft Threat Intelligence had observed the “Russian threat actor sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group.”

It said this is the first time that it had identified a shift in Star Blizzard’s long-standing tactics of using spear-phishing campaigns, which are usually emails that appeared to come from a trusted source.

WhatsApp attack vector

It was back in December 2023 when the UK’s National Cyber Security Centre (NCSC) had linked Star Blizzard to Russia’s domestic spy agency, the FSB, and has accused it of seeking to “undermine trust in politics in the UK and likeminded states”.

The FSB is of course the successor agency of the infamous (Soviet-era) KGB, and now they seem to be targetting WhatsApp accounts.

According to Microsoft’s blogpost victims receive an email from an attacker, enticing the recipient to click on a QR code that gives the attacker access to their WhatsApp account.

“The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on ‘the latest non-governmental initiatives aimed at supporting Ukraine NGOs,’” Microsoft warned.

“The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement,” Microsoft wrote.

The code, instead of giving access to a WhatsApp group, connects an account to a linked device or the WhatsApp Web portal.

“We assess the threat actor’s shift to compromising WhatsApp accounts is likely in response to the exposure of their TTPs by Microsoft Threat Intelligence and other organisations, including national cybersecurity agencies,” wrote Microsoft. “While this campaign appears to have wound down at the end of November, we are highlighting the new shift as a sign that the threat actor could be seeking to change its TTPs in order to evade detection.”

Microsoft Threat Intelligence recommends that all email users belonging to sectors that Star Blizzard typically targets always remain vigilant when dealing with email, especially emails containing links to external resources.

It said that when in doubt, contact the person you think is sending the email using a known and previously used email address to verify that the email was indeed sent by them.

Russian threats

Last October both Microsoft and Amazon had warned of targeted attacks by a Russian-backed group impersonating staff of the two companies.

The group, tracked by Microsoft as Midnight Blizzard and by AWS as APT29, is known for carrying out hacks on organisations and individuals to gather intelligence on behalf of Russia’s Foreign Intelligence Service (SVR).

The group has been sending out “highly targeted spear-phishing emails” to individuals in government, academia, defence, non-governmental organisations, and other sectors since 22 October, Microsoft said in an advisory.

Earlier that same month Microsoft, alongside US officials, had disrupted a spear-phishing campaign being carried out by a unit of (or their criminal proxies) the Russian Federal Security Service (the FSB).

In September 2024 the UK’s NCSC, and nine international allies had for the first time exposed the tactics and techniques used by Unit 29155 of Russia’s military intelligence, the GRU, to carry out cyber-operations against government and critical infrastructure organisations around the world.

The US allege the seized domains were used by hackers belonging to, or criminal proxies working for, the “Callisto Group,” an operational unit within Center 18 of the Russian Federal Security Service (the FSB).

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

UK Government Partners Anthropic AI To Improve Public Services

Anthropic confirms Memorandum of Understanding (MOU) signed with UK government to explore use of AI…

2 days ago

ARM Shares Rise Amid Report Meta Will Purchase Its First Chip

British chip designer ARM Holdings is reportedly developing its own chip, and Meta is one…

2 days ago

TikTok Returns To Apple, Google Stores In US

TikTok returns to app stores of both Apple and Google in the United States, after…

2 days ago

Meta To Show Marketplace Ads From Rival Ad Providers

After huge fine, Meta launches 'Facebook Marketplace Partner Program' so rival service providers can list…

3 days ago

Improved Indoor Connectivity Could Add Billions To UK Economy – Survey

New research from Freshwave finds a better mobile signal indoors could grow the UK economy…

3 days ago

Musk Says He Will Withdraw OpenAI Bid If It Remains Non-Profit

Elon Musk says he will abandon $97.4 billion offer to buy the non-profit behind OpenAI…

3 days ago