17 January 2025 , 19:49
627
0
FSB-linked Star Blizzard attempts to lure email recipients to click on QR code that gives attackers access to account.
Russian state-linked hackers have targeted the WhatsApp accounts of government ministers and officials around the world with emails inviting them to join user groups on the messaging app.
The WhatsApp tactic marks a new approach by a hacking unit called Star Blizzard. Britain’s National Cyber Security Centre (NCSC) has linked Star Blizzard to Russia’s domestic spy agency, the FSB, and has accused it of seeking to “undermine trust in politics in the UK and likeminded states”.
According to a blogpost by Microsoft, victims receive an email from an attacker impersonating a US government official, enticing the recipient to click on a QR code that gives the attacker access to their WhatsApp account. The code, instead of giving access to a WhatsApp group, connects an account to a linked device or the WhatsApp Web portal.
“The threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data,” said Microsoft.
Microsoft did not state whether data had been stolen successfully from targeted WhatsApp accounts.
It said the fake email was an invitation to join a WhatsApp group on “the latest non-governmental initiatives aimed at supporting Ukraine NGOs”. As well as targeting ministers and officials in unnamed countries, the campaign has attempted to snare people involved in diplomacy, defence policy and international relations research related to Russia, as well as work related to helping Ukraine in its war with Russia.
In 2023, the NCSC said Star Blizzard had targeted British MPs, universities and journalists among others, in efforts to “interfere with UK politics and democracy”. It described Star Blizzard as being “almost certainly subordinate” to the FSB’s Centre 18 unit. As part of the 2023 announcement, the UK imposed sanctions on two Star Blizzard members including an officer in the FSB.
Microsoft said the WhatsApp campaign appeared to have been wound down in November but the shift in tactics by Star Blizzard underlined the unit’s tenacity in using spear phishing – the term for targeting specific individuals or groups with malicious emails – to try to access sensitive information. The increasingly popular practice of using QR codes by cybercriminals is called “quishing” among the cybersecurity community.
Microsoft recommended that email users belonging to sectors targeted by Star Blizzard should “always remain vigilant” when dealing with emails, particularly messages containing external links.
“When in doubt, contact the person you think is sending the email using a known and previously used email address to verify that the email was indeed sent by them,” it said.
WhatsApp, which is owned by Facebook’s parent company, Meta, is an end-to-end encrypted app, meaning that only the sender and recipient of a message can see it, unless the user is tricked into handing over access to their account.
A WhatsApp spokesperson said: “If you want to link your WhatsApp account to a companion device, you should only do so by going to WhatsApp’s officially supported services – and not through third-party websites. And no matter which service you’re on, you should only click on links from people you know and trust.”