Russian Hackers Target WhatsApp for Data on Ukraine

A known hacking organization, according to Microsoft Corp., linked to Russia’s government has attempted to obtain WhatsApp data from employees of non-governmental organisations providing help to Ukraine. 

The Russian state-linked hackers have sent emails to government ministers and officials around the world, encouraging them to join WhatsApp user groups.

Attackers affiliated with Russia’s Federal Security Service, or FSB, sent emails to specific targets requesting that they join WhatsApp groups, Microsoft researchers said in a blog post Thursday. The phishing mails frequently seemed to be from a US government official and included a QR code that pretended to provide information about programs to support Ukraine in its continuing fight with Russia. Microsoft did not disclose whether any of the attempted hacks resulted in successful breaches.

Microsoft attributed the cyberattacks to Star Blizzard, an alleged state-backed hacking outfit. Since October, the US Justice Department has seized or taken down 180 websites affiliated with the group, according to Microsoft, headquartered in Redmond, Washington.

The WhatsApp method is a new strategy by the hacking group Star Blizzard. The National Cyber Security Centre (NCSC) of the United Kingdom has linked Star Blizzard to Russia’s internal intelligence service, the FSB, accusing it of attempting to “undermine trust in politics in the UK and likeminded states”

A representative from WhatsApp stated in a statement that the business uses end-to-end encryption to secure confidential chats and that users should only click on links from individuals they know and trust. A request for comment was not responded to promptly by the Russian Embassy in Washington.

The US Cybersecurity and Infrastructure Security Agency, or CISA, stated in December that the Star Blizzard group is “almost certainly” tied to Russia’s FSB, given the group’s history of attempting to hack American and British lawmakers, academics, and members of the defense sector. According to CISA, Star Blizzard specializes in investigating possible targets on social media, locating their professional relationships, and creating email accounts that appear to be trusted associates.

More information according to a blog post by Microsoft also revealed that users receive an email from an attacker impersonating a US government official, encouraging them to click on a QR code, which grants the attacker access to their WhatsApp account. Rather than providing access to a WhatsApp group, the code connects an account to a paired device or the WhatsApp Web page. “The threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data,” according to Microsoft!

Microsoft did not say whether data was successfully stolen from targeted WhatsApp accounts.

According to the report, the bogus email was an invitation to join a WhatsApp group discussing “the latest non-governmental initiatives aimed at supporting Ukraine NGOs.” In addition to targeting ministers and officials in unnamed nations, the effort has attempted to target those active in Russia-related diplomacy, defence strategy, and international relations research, as well as activity connected to assisting Ukraine in its battle with Russia.

In 2023, the NCSC stated that Star Blizzard had targeted British MPs, universities, and journalists, among others, in an attempt to “interfere with UK politics and democracy”. It said Star Blizzard was “almost certainly subordinate” to the FSB’s Centre 18 unit. As part of the 2023 statement, the UK sanctioned two Star Blizzard members, including an FSB officer.

Microsoft said the WhatsApp campaign looked to have ended in November, but Star Blizzard’s shift in tactics highlighted the unit’s tenacity in utilizing spear phishing – the phrase for sending malicious emails to specific persons or groups – to try to gain access to critical information. The cybersecurity community refers to the increasingly widespread technique of cybercriminals employing QR codes as “quishing”.

Microsoft advised email users in areas targeted by Star Blizzard to “always remain vigilant” when dealing with emails, especially those containing external links.

Cisa explained that Star Blizzard specializes in investigating possible targets on social media, locating their professional relationships, and creating email accounts that appear to be trustworthy associates. 

“When in doubt, contact the person you think is sending the email using a known and previously used email address to verify that the email was indeed sent by them,” according to the message.

WhatsApp, owned by Facebook’s parent company, Meta, is an end-to-end encrypted program, which means that only the sender and recipient of a message can read it, unless the user is duped into giving up access to their account.

According to a WhatsApp representative, if you want to attach your WhatsApp account to a companion device, you should only do so using WhatsApp’s officially supported services, not third-party websites. And no matter what service you’re using, only click on links from individuals you know and trust.”