Google’s Threat Intelligence Group (GTIG) has identified a surge in Russian state-backed hacking attempts targeted at compromising Signal messenger accounts. These attacks are primarily aimed at individuals of interest to Russia’s intelligence services, including military personnel, government officials, journalists, and activists. While the current focus is on Russia’s involvement in the war in Ukraine, experts are cautioning that similar tactics could soon be adopted by threat actors worldwide. Not limited to Signal, Russian-aligned groups have also been observed targeting messaging platforms such as WhatsApp and Telegram utilizing comparable methods, according to the group’s recent report published on Feb. 19.
The concerning trend highlights a growing global landscape of cyber espionage, with governments and hacking groups increasingly seeking to infiltrate secure messaging applications. The primary tactic utilized in these attacks involves exploiting Signal’s “linked devices” feature, which allows users to connect additional devices to their accounts. Hackers have devised malicious QR codes that, upon scanning, link a victim’s Signal account to a device controlled by the hacker. This enables the interception of messages in real-time without requiring direct access to the victim’s phone.
Phishing campaigns distributing these malicious QR codes have been camouflaged as legitimate Signal security alerts, group invitations, or even official device-pairing instructions from the Signal website. In some instances, hackers have embedded these QR codes within fraudulent applications designed to mimic software used by the Ukrainian military. Moreover, Russian cyber operatives have extended this tactic to battlefield scenarios. The group APT44—also known as Sandworm, a unit connected to Russia’s military intelligence agency (GRU)—has reportedly employed this method on captured devices. By linking soldiers’ Signal accounts to Russian-controlled infrastructure, they can continue surveillance of sensitive conversations.
Detecting such breaches poses a challenge, as Signal lacks a centralized system for flagging new linked devices, allowing successful breaches to go unnoticed for an extended period. To counter these phishing attempts, Signal has collaborated with Google to reinforce its security measures. The latest updates for both Android and iOS include enhanced protections intended to prevent unauthorized device linking. Users are advised to update their applications to the newest version and remain vigilant against suspicious QR codes or unexpected device-linking requests.
The escalation in state-backed hacking attempts serves as a stark reminder of the evolving cyber threats prevalent in today’s digitally connected world. As technology continues to advance, safeguarding personal data and communication against malicious actors becomes increasingly paramount. The collaborative efforts between tech companies like Signal and cybersecurity experts are crucial in mitigating these risks and ensuring the protection of sensitive information from hostile entities. In an era where digital communication reigns supreme, the need for robust cybersecurity measures has never been more pressing.