OrganisationRU

FSB Star Blizzard

FSB cyber unit using QR-code social engineering to compromise messaging accounts of journalists, lawyers and politicians.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How does an FSB unit use QR codes to take over a journalist's Signal account?

Timeline for FSB Star Blizzard

#117 Apr

Targeted Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers using malicious QR codes

Cybersecurity: Threats and Defences: Signal, WhatsApp hit by three states

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is FSB Star Blizzard and why is it dangerous?: Star Blizzard is a Russian FSB cyber unit specialising in long-running social-engineering campaigns against journalists, politicians and lawyers. It uses malicious QR codes to link attacker devices to Signal and WhatsApp accounts, gaining access to private communications.Source: NCSC-AIVD advisory March 2026
Is Star Blizzard the same as Cold River or Callisto Group?: Yes. Star Blizzard, SEABORGIUM, Cold River and Callisto Group are different tracking labels used by Microsoft, NCSC and other threat-intelligence teams for the same FSB-attributed actor.Source: NCSC / Microsoft Threat Intelligence
How does Star Blizzard use QR codes to hack messaging apps?: The group sends targets a QR code that, when scanned, links an attacker-controlled device to the target's Signal, WhatsApp or Messenger account. From that point the attacker reads all incoming messages and can impersonate the target.Source: NCSC-AIVD advisory March 2026

Background

FSB Star Blizzard is a threat actor attributed by NCSC, CISA and EU partner agencies to Russia's Federal Security Service (FSB). In March 2026, NCSC and the Dutch AIVD issued a joint advisory identifying Star Blizzard as one of three state actors, alongside China's APT31 and Iran's IRGC, targeting Signal, WhatsApp and Facebook Messenger accounts of politicians, journalists, academics and lawyers via malicious QR codes and contact impersonation.

Star Blizzard (previously tracked as SEABORGIUM, Callisto Group and Cold River) has been active since at least 2019. Its campaigns centre on sustained social engineering: building rapport with targets over weeks or months before delivering credential-harvesting links, spear-phishing attachments or, more recently, malicious QR codes that link attacker-controlled devices to the target's messaging account. Prior campaigns targeted NATO officials, UK MPs, think-tank researchers and Ukrainian officials. The group's access to messaging-platform accounts gives it insight into the private communications of civil-society organisations that operate largely outside the corporate network perimeter.

The convergence of FSB, APT31 and IRGC on the same messaging-app targeting technique across the March 2026 advisory suggests that consumer-grade encrypted messaging is now a priority intelligence collection surface for multiple adversaries. The recommended mitigation, passkeys and device audit, is targeted at individuals rather than enterprise IT teams.

How the World Sees Them

Russia

The FSB does not acknowledge Star Blizzard or its operations. Russian state media frames Western attributions as information warfare.

Civil society

Reporters Without Borders and Bellingcat have flagged Star Blizzard as a primary threat to investigative journalists covering Russia, Ukraine and authoritarian governance.

United Kingdom

NCSC has publicly attributed Star Blizzard to attacks on UK MPs, parliamentary staff and defence-sector researchers. The UK has imposed cyber sanctions on two identified Star Blizzard operators.