Russian hackers target Ukrainian WhatsApp accounts in clever campaign

Russian Federal Security Service (FSB) hackers, often called Star Blizzard, Turla, and Snake, have been observed impersonating U.S. government officials to gain access to WhatsApp accounts belonging to individuals in the Ukrainian government, aid, defense, and international relations sectors.

The attacks began with a spearphishing email, designed to appear as if it was coming from a U.S. government representative, containing an invitation to join a WhatsApp group related to initiatives that support Ukraine. The email instructs the target to follow the included QR code to join the group. However, the QR code is intentionally broken, forcing the target to reply to the email to request an alternative method to join the group.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

If the victim replies, Star Blizzard follows with another email instructing the target to follow a ‘t.ly’ short link to a fake webpage that looks like a legitimate WhatsApp invitation page. This page contains another QR code and instructions for the target to follow to join the group.

This time the QR code isn’t broken. If followed by the target, it links the target’s WhatsApp account to a new device, one under the control of Star Blizzard, which allows it to gain access to the target’s WhatsApp messages and data.

Source: Bleeping Computer

Analysis

While the FSB’s development and use of highly sophisticated malware to support its malicious operations are well documented, this campaign is unique as it requires no malware, just clever social engineering to trick targets into providing access to their WhatsApp accounts. The lack of malware makes it harder for technical security controls to detect and mitigate this attack, leaving it up to the human user to decide whether to click the URL or follow the potentially malicious QR code.

Targeting WhatsApp accounts belonging to the Ukrainian government, aid, defense, and international relations sectors makes sense for the FSB as the Russian government would be highly interested in their conversations, contacts, and other sensitive data. These compromised accounts could also facilitate future attacks as they could be used to send malicious WhatsApp messages to other targets in the contact list.

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for advanced persistent threats like Russia’s FSB hackers. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.

Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect encourages all organizations at risk of Russian cyber activities to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.

Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.

Related Articles

• Russian hackers, Turla, use Amadey infrastructure to target Ukraine
• Ukrainian military targeted with drone manual themed phishing emails
• ‘FrostyGoop’ malware freezes Ukrainian power company