Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp – CyberScoop
The cat-and-mouse game between state-sponsored Russian hackers and one of the world’s biggest technology companies has continued into 2025.
Microsoft’s threat intelligence team published research Thursday examining how a state-sponsored Russian threat actor group, known as Star Blizzard, has altered its longstanding attack strategies to target WhatsApp accounts. This attack vector is a significant change in the group’s tactics, techniques, and procedures (TTPs), as it has normally relied on email in the past.
The group, via phishing campaigns, typically targets individuals and organizations relevant to government, diplomacy, defense policy, and international relations research, particularly when these activities involve Russia. Historically, they have also targeted civil society organizations — including journalists, think tanks, and non-governmental organizations — aiming to exfiltrate sensitive information and disrupt operations.
In a campaign observed in mid-November 2024, Star Blizzard’s initial approach involved sending emails purportedly from a U.S. government official, containing a QR code said to direct recipients to information on supporting Ukrainian NGOs. The QR code, however, was intentionally broken, prompting targets to respond for an alternative link. The follow-up communication included a malicious shortened link, designed to deceive targets into believing they were joining a WhatsApp group. In reality, the link led to a phishing website using WhatsApp’s account-linking QR code feature. This maneuver enables the threat actor to gain unauthorized access to victims’ WhatsApp messages via its web messaging platform, potentially compromising the privacy and confidentiality of sensitive communications.
This operation by Star Blizzard, which is believed to be an operational unit within Russia FSB’s Center 18, follows Microsoft and the U.S. Department of Justice’s collaborative efforts in October to shut down over 180 websites tied to the group’s previous campaigns. While these actions temporarily hindered Star Blizzard’s phishing operations, the threat actor quickly transitioned to new domains, underscoring their resilience and adaptability in the face of law enforcement’s actions.
Microsoft assesses that the group’s targeting of WhatsApp accounts is likely a response to the exposure of its previous TTPs, aiming to evade detection by cybersecurity agencies. The company says there is a silver lining: this particular campaign stopped at the end of November. Microsoft did not provide any evidence to support why the operation suddenly stopped.
Whether it’s email or WhatsApp, Microsoft warns those who may be targeted to be vigilant about messages that link to external networks. The company says people in the following roles should be especially careful:
- Government or diplomacy (incumbent and former position holders)
- Research into defense policy or international relations when related to Russia
- Assistance to Ukraine related to the ongoing conflict with Russia
“When in doubt, contact the person you think is sending the email using a known and previously used email address to verify that the email was indeed sent by them,” the company states in its blog.
The post Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp appeared first on CyberScoop.
–
Read More – CyberScoop
