The Star Blizzard threat actor, linked to Russia, has recently been identified as having added a new attack vector to its repertoire, targeting victims’ WhatsApp data. This group, also known as Callisto, SEABORGIUM, or COLDRIVER, is believed to be operated by Russia’s FSB or secret service officers, and has a history of conducting targeted spear-phishing campaigns against high-profile targets in the U.S. and U.K., including journalists, think tanks, and NGOs supporting Ukraine and its allies.
Microsoft’s Threat Intelligence team discovered the latest campaign late last year, which utilized the topic of supporting Ukrainian NGOs amidst the ongoing conflict. While Star Blizzard typically employs phishing campaigns for initial infections, recent advisories from cybersecurity firms and agencies have forced the group to adapt its tactics to evade detection.
For the first time, Star Blizzard shifted its focus to targeting victims’ WhatsApp accounts instead of their computer data, marking a significant change in its tactics. The threat actor initiates contact through email, posing as a U.S. government official to enhance credibility before sending a follow-up email with a malicious link.
The email contains a QR code that purports to lead users to a WhatsApp group supporting Ukraine NGOs, but the code is intentionally broken to prompt a response from the recipient. Upon responding, a second email is sent with a link disguised as a Safe Links-wrapped t[.]ly shortened link, purportedly for joining the group. Clicking on the link redirects the victim to a page instructing them to scan a QR code to join the group, which in reality connects their WhatsApp account to the threat actor’s device via WhatsApp Web.
This allows the attacker access to the victim’s messages, facilitating data exfiltration through browser plugins designed for exporting WhatsApp messages. Although the campaign concluded in November 2024, Microsoft emphasizes the need for vigilance among individuals and organizations involved in government, defense, research, and aid to Ukraine, given the evolving tactics of threat actors like Star Blizzard.
By sharing information on Star Blizzard’s latest activities, Microsoft aims to raise awareness of the group’s changing tradecraft and educate organizations on strengthening their defenses against such malicious activities. The group’s use of new techniques to target WhatsApp data underscores the importance of staying informed and proactive in safeguarding against evolving cybersecurity threats.