Google’s Threat Intelligence Group has issued a warning that the GRU military intelligence of Russia is targeting Signal accounts used by Ukraine’s military. According to the group, there has been a noticeable increase in the efforts of several state-aligned Russian threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia’s intelligence services.
The GRU has reportedly been utilizing devices captured in Ukraine to link the Signal accounts on these devices to hacker-controlled infrastructure. While Ukraine’s military is currently the main target of the Russian hacking activities, the GTIG anticipates that the tactics and methods used to target Signal will expand and spread to additional threat actors and regions beyond the scope of the conflict in Ukraine.
One of the suspected Russian espionage clusters identified as UNC5792 by Google has been responsible for altering legitimate group invite Signal pages to redirect invites to malicious URLs. The methods employed by Russia’s GRU to hack Signal accounts are also applicable to targeting WhatsApp and Telegram accounts, as highlighted by Google.
The hackers exploit a legitimate feature of Signal that allows for linking devices, enabling Signal to be used simultaneously on multiple devices. Malicious QR codes are used to connect a victim’s account to one controlled by the hackers, allowing them to eavesdrop on secure conversations in real-time without the need for full-device compromise.
Google revealed that the Russian hackers utilize tailored remote phishing operations in conjunction with the deployment of malicious QR codes embedded in phishing pages designed to mimic specialized apps used by Ukraine’s military. Despite these efforts, the end-to-end encryption employed by Signal does not appear to have been compromised.
In response to the threat, Signal has implemented various measures to protect users from social engineering attacks of this nature. This includes a revamped user interface with additional authentication steps and new notifications for newly linked devices.
It is crucial for users, especially those in sensitive positions or involved in conflict zones, to remain vigilant and ensure the security of their communication channels. As cyber threats continue to evolve and expand, it is essential for individuals and organizations to stay informed and take proactive steps to safeguard their digital presence.