Google has issued a warning about the increasing threat posed by Russian state-backed groups targeting secure messaging applications like Signal, WhatsApp, and Telegram. These groups, believed to be aligned with Russian intelligence services, are concentrating on compromising accounts of individuals including military personnel, politicians, journalists, and activists, with the initial focus on the conflict in Ukraine.
According to a recent report by Google’s Threat Intelligence Group, these malicious actors are employing various tactics to intercept sensitive communications. One primary method involves exploiting the “linked devices” feature of Signal through phishing techniques. By tricking users into scanning malicious QR codes, attackers can link the victim’s account to a device under their control, allowing them to intercept messages in real-time without compromising the entire device.
These malicious QR codes are often disguised as legitimate Signal resources, such as group invites or security alerts, making it challenging for users to detect the phishing attempts. In some cases, the attackers incorporate these codes into phishing pages that mimic specialized applications used by the Ukrainian military.
Additionally, Russian state-backed groups have been observed modifying legitimate Signal group invite links to redirect victims to fake pages that facilitate unauthorized linking of their devices to the attacker’s control. UNC5792 and UNC4221 are two such groups identified in these activities, with UNC4221 targeting Ukrainian military personnel by embedding malicious QR codes within phishing sites.
Apart from phishing, other threat actors like APT44 (Sandworm), Turla, and UNC1151 utilize malware, scripts, and tools to extract Signal messages from compromised Windows and Android devices. These actors employ various techniques such as the WAVESIGN script to retrieve recent messages or the Chisel malware to search for Signal database files on Android devices. UNC4221 has also been using a JavaScript payload called PINPOINT to gather user information and geolocation data.
The popularity of secure messaging apps makes them prime targets for adversaries, with WhatsApp and Telegram also facing similar threats. Researchers have emphasized the growing threat to secure messaging applications and warned users to be cautious. They recommend using strong screen locks, complex passwords, keeping operating systems and apps updated, and enabling two-factor authentication. Regularly auditing linked devices, exercising caution with QR codes and links, and considering enabling Lockdown Mode for iPhone users at high risk are also suggested measures.
In conclusion, the increasing attacks by Russian state-backed groups on secure messaging applications highlight the importance of implementing robust security measures to safeguard sensitive communications. As the threat landscape continues to evolve, users are urged to stay vigilant and take proactive steps to protect their privacy and data from malicious actors.