Russian Hackers Target Diplomats in WhatsApp Spear-Phishing Campaign

Security experts have discovered a new spear-phishing campaign orchestrated by Russian state-backed threat actors against high-profile diplomats and Ukrainian aid organizations.

Russian malicious campaign against Ukrainian targets

Star Blizzard, a group of Russian state-sponsored hackers, has launched a ruthless spear-phishing campaign against various Ukraine-linked targets.

Perpetrators sought targets in diplomacy, defense policy, government, international relations and aid organizations in the country.

The campaign was first noticed in mid-November and seems to have been terminated by the end of the month.

Weaponizing WhatsApp invitations

Threat actors initiate contact by masquerading as US government officials and sending fake email messages to their targets. The messages typically contain a rogue invitation to a WhatsApp group allegedly related to non-governmental initiatives supporting Ukraine.

However, the initial email message prompting recipients to join the group displays a broken QR code, a technique used to force the target to reply, asking for a working alternative.

Once the recipient replies, threat actors follow up with another email harboring a ‘t.ly’ shortened link. Opening the link redirects the user to a maliciously crafted WhatsApp invitation page with a different QR code.

Tricking targets into linking new devices to their WhatsApp account

Visitors are instructed to open WhatsApp on their phones, access the “Linked devices” section, tap “Link a device” and scan the QR code on the screen.

People who have used WhatsApp on their computers should be familiar with the process; following the steps provided by the malicious link would lead to linking a new device to the victim’s WhatsApp account instead of joining a group.

Once the target falls prey to the scam, threat actors can quickly exfiltrate sensitive data, including messages, files, and a list of contacts, from the compromised WhatsApp account.

No malicious code used

Although threat actors crafted fake WhatsApp invitation links and QR codes, no actual malicious code was used in the campaign, making the attack more likely to slip past traditional defenses like antivirus or antimalware services.

To detect and deter similar attacks, users are advised to remain vigilant and avoid interaction with links from unknown recipients, including invitations to join WhatsApp groups.

Regularly checking the list of devices linked to your WhatsApp account and logging out of unknown or unused ones also helps to keep criminals at bay.

Using specialized scam detection tools

Specialized services like Bitdefender’s Scamio can help you detect scams before they do harm. Scamio analyzes text messages, emails, social media messages, images, QR codes, and described scenarios and provides instant assessments of their perceived legitimacy.

Scamio is free and available on Facebook Messenger, WhatsApp, Discord and your web browser. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia and the UK.