In a recent development, Russian nation-state hackers have intensified their efforts to target Ukrainian users of the encrypted chat app Signal through phishing attacks, according to security researchers. The Google Threat Intelligence Group conducted an analysis that revealed multiple Russian threat actors using social engineering tactics to exploit data security vulnerabilities. Given the app’s popularity among politicians, journalists, and activists, it has become a prime target for threat actors seeking sensitive information.
The tactics employed by Russian hackers against Ukrainian Signal users serve as a warning for users globally. Google has predicted that these tactics will become more widespread in the near future and may expand to additional threat actors and regions beyond the ongoing conflict in Ukraine. The hackers’ key strategy has been bypassing end-to-end encryption by manipulating users into revealing their messages through malicious means. One prominent technique observed by Google researchers involves sending malicious QR codes to users, taking advantage of a Signal function that allows multiple device access.
The linked devices feature of Signal enables users to access their account from both a phone and a desktop device while synchronizing message history. By inserting malicious code into the QR code scanning process, threat actors can link their device to a victim’s account, granting them perpetual access to message content. This method poses a significant risk as compromises may go unnoticed for extended periods. Malicious QR codes have been disguised as Signal group invites or legitimate pairing instructions to deceive users. In more targeted attacks, QR codes have been embedded in phishing pages posing as specialized applications for Ukrainians.
Russian hackers affiliated with the Sandworm group, also known as Unit 74455 of the General Staff Main Intelligence Directorate Main Center for Special Technologies, are collaborating with Russian forces to link Signal accounts on battlefield-captured devices. Another tactic identified by Google, attributed to threat actor UNC5792, involves sending fake group invites that redirect victims to a page linking their account to the threat actor’s account, tracked by Ukrainian cyber defense as UAC-0195.
Following this research, Signal took steps to strengthen its linked device feature. Dan Black, principal analyst at Google Threat Intelligence Group, highlighted the enhancements made by Signal in response to these threats. Apart from targeting Signal, Russian state hackers have employed similar tactics against other encrypted services like WhatsApp and Telegram. Microsoft recently uncovered a campaign linked to Russian Federal Security Service threat actor Callisto Group, ColdRiver, and Star Blizzard, which used QR codes to target WhatsApp accounts associated with civil society organizations and journalists.
The escalation of cyber warfare tactics by Russian nation-state hackers underscores the growing challenges posed by malicious actors in the digital realm. It is imperative for users to remain vigilant and adopt robust security measures to safeguard their personal information and communications from potential threats. As threat actors continue to evolve their strategies, cybersecurity professionals and technology companies must collaborate to enhance cyber defenses and mitigate the risks posed by sophisticated cyber attacks.