Russian threat actors targeting Signal

Compromising Ukraine’s wartime comms

Russia-linked cyber groups are targeting messaging accounts belonging to politicians, journalists and members of the military in Ukraine

Threat actors aligned with Russia are working to compromise Signal Messenger accounts used by “individuals of interest to Russia’s intelligence services.”

So says Google Threat Intelligence (GTI), which has been tracking these efforts over the past 12 months.

The attackers abused certain features in the Signal app to compromise communications used by Ukrainian military and government personnel – but GTI warned that the tactics used could spread further:

“[W]e anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theatre of war.”

Signal’s popularity among common surveillance targets, such as politicians, journalists and military personnel, makes it a high-value target – and, notably, similar apps like WhatsApp and Telegram are being actively targeted using similar techniques.

Linked device loopholes

The most widely used attack is abuse of Signal’s ‘linked devices’ feature, which enables a single account to be used on multiple devices simultaneously.

Additional devices can be linked by simply scanning a QR code, so attackers have begun creating malicious codes that will link a Signal account to an attacker-controlled Signal instance.

A successful link allows the attacker to eavesdrop on the victim’s conversations, as messages will be sent to both parties, without fully compromising the target device.

“This device-linking concept of operations has proven to be a low-signature form of initial access due to the lack of centralised, technology-driven detections and defences that can be used to monitor for account compromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed for extended periods of time.”

While QR codes are a primary attack vector, there are other methods. For example, a group tracked as UNC5792 has altered legitimate group invite pages, replacing the expected redirect to a Signal group with one to a malicious URL that links accounts together.

Another group, UNC4221, actively targets Signal accounts used by Ukrainian military personnel. It uses a tailored Signal phishing kit designed to mimic components of a military application called Kropyva.

Beyond the account linking attacks, GTI has also observed “multiple known and established regional threat actors” working to steal Signal database files from Android and Windows devices. They include APT44 (Sandworm), Turla and the Belarus-linked group UNC1151.

These recent attacks should be a warning about the growing threat to even supposedly secure messaging apps. Advice includes caution when interacting with QR codes; ensuring mobile operating systems are up to date and protected; and regular audits of linked devices.