In a recent development, the Russian-linked cyber threat group, Star Blizzard, also known as SEABORGIUM, has been reported to have shifted its tactics towards spear-phishing campaigns targeting WhatsApp accounts. This shift marks a departure from the group’s usual modus operandi of credential harvesting through phishing emails and Evilginx-powered pages. The change in strategy is believed to be a response to previous exposure of the group’s activities, with the aim of evading detection.
Reports suggest that the primary targets of this new spear-phishing campaign are individuals from government and diplomatic sectors, as well as researchers in defense policy and international relations. The group also seems to be focusing on individuals providing support to Ukraine in the context of the ongoing conflict with Russia. The spear-phishing emails sent by Star Blizzard appear to be from legitimate sources, such as U.S. government officials, in an attempt to increase the likelihood of the victim engaging with the message. These emails contain QR codes that lead recipients to join a WhatsApp group, but instead redirect them to a malicious website.
Upon visiting the website, victims are prompted to scan a QR code that seemingly links them to the WhatsApp group, but in reality connects their account to an attacker’s device. This unauthorized access allows Star Blizzard to intercept WhatsApp messages and potentially exfiltrate data using browser add-ons. While the campaign appears to have been relatively limited in scope and reportedly winding down by the end of November 2024, previous actions taken against the group by Microsoft and the U.S. Department of Justice, including seizing over 180 domains, likely forced Star Blizzard to adapt its tactics.
Star Blizzard has a history of employing various tactics to obfuscate the origin of its attacks. Previous operations saw the group using platforms like ProtonMail, HubSpot, and MailerLite to conceal their email infrastructure, thus avoiding the need for actor-controlled domains. The shift towards targeting WhatsApp instead of email demonstrates the group’s resilience and determination to continue its cyber-espionage activities. Security experts caution individuals in government, diplomacy, and defense sectors to exercise vigilance when handling suspicious emails containing links to external sources or QR codes.
Overall, the evolving tactics of Star Blizzard serve as a reminder of the constant threat posed by cybercriminals, particularly those with sophisticated capabilities and intent. It underscores the importance of remaining vigilant and implementing robust cybersecurity measures to mitigate the risks associated with such attacks. As the digital landscape continues to evolve, staying informed and proactive in safeguarding sensitive information becomes paramount in safeguarding against cyber threats.