In a concerning development, Russian hackers have been exploiting the connected devices feature of the Signal messenger to target Ukrainian military communications. Cybersecurity experts are now warning that this tactic could be used by hackers to target other entities as well.
The hackers have been employing two main methods to carry out their attacks:
1. Physical device takeover – This involves gaining access to phones used by military groups and linking their own devices to the account.
2. Adding an enemy device via QR code – In this method, hackers use social engineering tactics and phishing sites that impersonate Signal service pages to trick users into scanning malicious QR codes.
The Google Threat Intelligence Group (GTIG) has identified APT44 (Sandworm), UNC5792, and UNC4221 hacking groups as the perpetrators behind these attacks. These groups are creating fake websites that contain malicious JavaScript and QR codes to compromise accounts. For example, UNC4221 has been found to imitate pages of the Kropyva program, which the Ukrainian military uses for artillery guidance.
To protect against such attacks, security experts recommend the following measures:
1. Always update Signal to the latest version.
2. Regularly check the list of connected devices.
3. Avoid scanning QR codes from unverified sources.
4. Enable authentication and notifications about new connections.
Despite Signal’s use of end-to-end encryption, which is considered a robust method of protecting data, vulnerabilities related to QR codes pose a threat not only to this messenger but also to other services like WhatsApp.
It is crucial for users to remain vigilant and adopt best practices for cybersecurity to prevent falling victim to such attacks. By staying informed, keeping software up to date, and being cautious when interacting with unfamiliar sources, individuals and organizations can enhance their defenses against malicious actors in cyberspace.