Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

Russia’s Star Blizzard pivots to WhatsApp in spear-phishing campaign

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted

This is the hidden content, please

Russia’s Star Blizzard pivots to WhatsApp in spear-phishing campaign

In the wake of a significant action against its infrastructure, the Kremlin-backed

This is the hidden content, please
(APT) actor Star Blizzard has pivoted to exploiting social messaging application WhatsApp in its spear-phishing campaigns against targets of interest to Russia’s intelligence agencies,
This is the hidden content, please
has warned.

This is the hidden content, please
has been hot on the tail of Star Blizzard for some time, and late last year its Digital Crimes Unit (DCU) received permission from a United States court to conduct a significant takedown operation against almost 70 of the group’s domains. Since October 2024,
This is the hidden content, please
and the US Department of Justice (DoJ) have seized or taken offline more than 180 websites used by Star Blizzard, which has had a significant short-term effect on the APT’s ability to go about its nefarious business.

This action has already yielded

This is the hidden content, please
for defenders to pick over, but
This is the hidden content, please
(MSTIC) the group has demonstrated remarkable resilience and has swiftly transitioned to new domains and methodology, including the exploitation of
This is the hidden content, please
.

“In mid-November 2024,

This is the hidden content, please
Threat Intelligence observed … Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group,” said the MSTIC team.

“This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures (TTPs) to leverage a new access vector.

“We assess the threat actor’s shift to compromising WhatsApp accounts is likely in response to the exposure of their TTPs by

This is the hidden content, please
Threat Intelligence and other organisations, including national cyber security agencies. While this campaign appears to have wound down at the end of November, we are highlighting the new shift as a sign that the threat actor could be seeking to change its TTPs in order to evade detection,” they said.

In the WhatsApp campaign, Star Blizzard operatives first made contact with their targets via email to engage them, in the guise of a senior US government official. This email contained

This is the hidden content, please
that purported to direct the recipient to join a WhatsApp group to discuss non-governmental organisation (NGO) work in Ukraine. However, in an attempt to coax their victims into responding, the QR code was intentionally non-functional.

If the unlucky target did respond, Star Blizzard then wrote back with a wrapped, shortened link apparently directing them to the WhatsApp group. This sent the targets to a web page containing another QR code for them to scan to join the group.

In a final bit of subterfuge, this second QR code was not a link to the group but instead used by WhatsApp to connect an account to the WhatsApp Web portal, which is used legitimately to enable people to access their accounts on a desktop PC instead of their smartphone, should they wish.

In scanning this second QR, the victims in fact gave Star Blizzard full access to their WhatsApp accounts, from where the cyber spooks were able to read messages and exfiltrate data using browser plugins.

MSTIC said that the campaign was limited in its scope and appears to have ended at the end of November 2024. However, said the research team, it marks a clear break in Star Blizzard’s tradecraft, and highlights its tenacity.

Typical targeting

MSTIC is advising anybody working in sectors that Star Blizzard typically targets to be extra vigilant when dealing with unexpected or unsolicited email from trusted or new contacts.

However, ordinary users should have little to be concerned about from the APT for, as ever, Star Blizzard’s campaign targets are most commonly individuals holding high-level positions in government or the diplomatic community, defence and international relations experts, and “sources of assistance” to Ukraine.

As exposed by Computer Weekly in 2022, Star Blizzard previously hacked, compromised, and leaked emails and documents belonging to a former head of MI6, alongside other members of a secretive right-wing network devoted to campaigning for an extreme hard Brexit.

This data dump also exposed the group’s attempts to spread conspiracies about the origins of SARS-CoV2 and influence *** government policy on science and technology during the Covid-19 pandemic.



This is the hidden content, please

#Russias #Star #Blizzard #pivots #WhatsApp #spearphishing #campaign

This is the hidden content, please

This is the hidden content, please

For verified travel tips and real support, visit: https://hopzone.eu/
0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept