Russian Star Blizzard hackers exploit WhatsApp accounts to spy on nonprofits aiding Ukraine

The Russian state-backed hacking group Star Blizzard recently attempted to compromise the WhatsApp accounts of nonprofits aiding Ukraine, researchers reported.

The group appears to be using a new method to infiltrate victims' systems, likely adopted in response to the recent takedown of their domains and websites by cybersecurity agencies, Microsoft said on Thursday.

Starting in mid-November, hackers launched a campaign sending phishing messages that impersonated U.S. government officials, offering recipients an invitation to join a WhatsApp group for nonprofit organizations supporting Ukraine during the war. While the researchers didn’t say specifically where the organizations are based, the fake WhatsApp group was called “US-Ukraine NGOs Group.” 

As in previous attacks, Star Blizzard first initiated contact with their targets via email, followed by a second message containing a malicious link.

The link directed victims to a webpage that prompted them to scan a QR code to join the group. In reality, the QR code was intended to link the victim's account to a device controlled by the attackers, allowing them to access and exfiltrate the victim's messages using legitimate browser plugins.

According to Microsoft, this is the first case of Star Blizzard using WhatsApp to infiltrate victims' systems. 

Since October, Microsoft and the U.S. Department of Justice have dismantled or seized more than 180 websites associated with Star Blizzard’s operations. Researchers noted that while these actions “had a short-term impact” on the group, Star Blizzard quickly adapted by shifting to new domains, demonstrating its “high resilience” to disruptions in its infrastructure. The targeting of WhatsApp may be part of this adaptation. 

While the group’s latest spying campaign appears to have ended in late November, Star Blizzard is likely to continue changing its tactics to evade detection, researchers said.

The report did not provide details on the campaign's effectiveness, the specific targets involved, or whether the hackers successfully exfiltrated any information from their victims.

Also tracked as the Callisto Group, Star Blizzard is believed to be linked to Russia’s Federal Security Service (FSB).

According to Microsoft, the group’s targets are most commonly connected to government or diplomacy, defense policy, or research that touches on Russia, as well as sources of assistance to Ukraine in the war with Russia.

Between January 2023 and August 2024, researchers observed Star Blizzard target more than 30 civil society entities and organizations — including journalists, think-tanks, and nonprofits — by deploying phishing campaigns to exfiltrate sensitive information and interfere with their activities.

In the U.S., the group was accused last October of targeting former members of the U.S. intelligence community, current and former Department of Defense and State Department employees, military contractors and staff at the Department of Energy.

Deputy Attorney General Lisa Monaco said the Russian government “ran this scheme to steal Americans’ sensitive information.”