Russian Hackers Exploit WhatsApp QR Codes To Breach Global Ministers Official Accounts

Reports detail that Russian state-linked hackers-the Star Blizzard group-have launched the most sophisticated attacks yet on ministers and officials globally through WhatsApp, where they steal sensitive messages via a QR code. The phishing emails are fake and appear as though they originated from US government offices, inviting a recipient to be part of certain WhatsApp groups, claiming to be necessary for official works. Instead, the QR code links the user’s WhatsApp to the attackers’ devices, letting them read exfiltrate any sensitive messages there.

Britain’s National Cyber Security Centre (NCSC) linked Star Blizzard to Russia’s Federal Security Service (FSB) and accused the group of trying to destabilize trust in world politics, specifically within the UK and allied countries. It said the hackers have targeted those individuals involved in diplomacy, defense, and international relations, particularly regarding Ukraine and Russia.

Microsoft’s blog post described how the group seems to lure victims by using fake group invites in support of Ukrainian NGOs. It is yet unknown whether any data was stolen. Yet, the incident matters since Star Blizzard is said to have ended only in November; this group has been going about adapting spear-phishing tactics.

Star Blizzard, in 2023, targeted British MPs, universities, and journalists. This led the UK government to slap sanctions on two members of the group, linked to the FSB’s Centre 18 unit. Increasing usage of QR codes in these types of cyberattacks, also termed “quishing” by experts, is increasingly worrisome.

Microsoft asked recipients to be cautious when opening emails with links from other sources and recommended verification of the messages via known contacts. Meta-owned WhatsApp urged people to use authentic channels for account linking and cautioned against clicking on links from unknown sources. The platform reminded its users that the messages are end-to-end encrypted, meaning no one can access them unless access to the account is compromised.