Star Blizzard Threat Actor
The Russian cyber threat actor known as Star Blizzard has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts. This marks a shift from its usual tactics, likely aimed at evading detection and maintaining its operations under increased scrutiny.
Table of Contents
High-Profile Targets in Government and Diplomacy
Star Blizzard primarily targets individuals connected to government and diplomacy, including current and former officials. It also targets researchers specializing in defense policy and international relations, particularly those whose work involves Russia. Another key group in its crosshairs consists of individuals and organizations assisting Ukraine in the ongoing conflict with Russia.
The Infamous Star Blizzard: A Persistent Threat
Previously known as SEABORGIUM, Star Blizzard has a long history of cyber activities dating back to at least 2012. It operates under multiple aliases, including Blue Callisto, BlueCharlie (TAG-53), Calisto, COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446 and UNC4057. This group is notorious for its credential-harvesting campaigns, typically executed through spear-phishing emails designed to steal sensitive login credentials.
A History of Deceptive Tactics
Star Blizzard has traditionally used phishing emails sent from ProtonMail accounts, embedding malicious links in documents to lure victims into providing credentials. These attacks often utilize Evilginx-powered pages to bypass Two-Factor Authentication (2FA) security measures through an Adversary-in-The-Middle (AiTM) technique. The group has also leveraged email marketing platforms such as HubSpot and MailerLite to obscure sender details and bypass security filters.
Disruptions and Adaptations
Efforts to curb Star Blizzard's activities gained traction late last year when Microsoft and the U.S. Department of Justice (DoJ) seized over 180 domains linked to the group. These domains had been actively used to target journalists, think tanks, and NGOs between January 2023 and August 2024. The increased public exposure of these operations may have forced the group to adjust its tactics, leading to the recent WhatsApp-focused campaign.
The WhatsApp Phishing Scheme Unveiled
The latest campaign begins with a spear-phishing email masquerading as a message from a U.S. government official. This deceptive approach adds credibility and increases the likelihood of engagement from the target. The email contains a QR code, allegedly inviting recipients to join a WhatsApp group dedicated to supporting Ukraine NGOs. However, the code is deliberately broken, prompting the victim to respond.
A Multi-Step Deception
Upon receiving a reply, Star Blizzard sends a follow-up email apologizing for the issue and providing a t.ly shortened link to the WhatsApp group. Clicking the link redirects the target to a Web page instructing them to scan another QR code. However, instead of granting access to a legitimate group, this QR code is a trap designed to exploit WhatsApp's account-linking feature, granting attackers unauthorized access to messages and data.
Exploiting WhatsApp’s Features
Victims who follow the instructions on the deceptive site ('aerofluidthermo.org') unknowingly allow Star Blizzard to infiltrate their WhatsApp accounts. This method enables the attackers to exfiltrate messages and other sensitive data, potentially via browser extensions.
Precautionary Measures for At-Risk Individuals
Those working in government, diplomacy, defense policy, or international relations—particularly those with ties to Ukraine—should remain vigilant when handling emails containing links to external sources. Verifying the authenticity of unexpected messages before clicking on links or scanning QR codes is crucial to avoiding compromise.
A Persistent and Evolving Cyber Threat
This latest campaign highlights Star Blizzard's adaptability and determination to continue spear-phishing operations despite repeated setbacks. By shifting to WhatsApp phishing, the group demonstrates its ability to evolve tactics, underscoring the ongoing need for cybersecurity awareness and protective measures among targeted individuals and organizations.
