In recent news, it has been reported that multiple Russia-aligned threat groups are actively targeting the Signal Messenger application, specifically focusing on individuals who are likely to exchange sensitive military and government communications related to the ongoing conflict in Ukraine.
According to researchers at Google’s Threat Intelligence Group (GTIG), the activity is currently centered around individuals of interest to Russia’s intelligence services. While the scope of the targeting is limited at the moment, experts warn that the tactics being employed by these threat actors could potentially be adopted by other groups for more widespread attacks on popular messaging apps like Signal, WhatsApp, and Telegram.
Google’s threat analyst Dan Black stated in a blog post that they anticipate the tactics used to target Signal will increase in prevalence in the near future and could spread to additional threat actors and regions beyond the Ukrainian conflict zone. Two of the Russian cyber-espionage groups identified by Google as targeting Signal are UNC5792 and UNC4221, also known as UAC-0195 and UAC-0185, respectively. Their primary goal is to trick targeted individuals into linking their Signal accounts to attacker-controlled devices, allowing the threat actors to intercept incoming messages.
UNC5792 has been sending invitations to join a Signal group, but these invitations contain malicious QR codes that, when scanned, inadvertently link the victim’s account to a device controlled by the threat actor. On the other hand, UNC4221 has been using a customized phishing kit that impersonates the Kropyva application, which is used by Ukraine’s military for artillery guidance. By creating phishing sites with embedded QR codes, UNC4221 aims to deceive Signal Messenger users into scanning the codes, thereby linking their accounts to the attackers’ devices.
These targeted attacks on Signal are part of a broader trend of threat actor interest in secure messaging apps that are commonly used by individuals involved in espionage, intelligence gathering, politics, activism, journalism, and other sensitive fields. The end-to-end encryption and minimal data collection practices of these apps make them attractive targets for adversaries seeking to intercept valuable information for various intelligence purposes.
It’s worth noting that Russia-aligned groups have also targeted users of other messaging apps like Telegram and WhatsApp using similar tactics. Recent reports have highlighted attacks on WhatsApp accounts belonging to government officials and diplomats by groups like Star Blizzard and Coldriver. Businesses that use WhatsApp for communication and customer engagement may also be at risk of being targeted by these threat actors.
In conclusion, the increased targeting of secure messaging apps like Signal by Russia-aligned threat groups signifies a growing concern for the security and privacy of individuals engaged in sensitive communications. As these attacks become more prevalent and sophisticated, it is crucial for users to remain vigilant and take necessary precautions to protect their data and information.