Russian Hackers Penetrate Ukrainian Signal Accounts

Uploaded on 2025-03-09 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW

Google Threat Intelligence Group (GTIG) has monitored the efforts by Russia state-aligned threat actors to compromise and penetrate Signal Messenger accounts used by individual users who are of interest to Russia's intelligence services.

In particular, Russian hackers have found ways to connect their victims' accounts to their own devices by abusing the messaging application “linked devices” feature that enables a user to be logged in on multiple devices at the same time.

These hacks have been prompted by military  demands to gain access to sensitive government and military communications following Russia's failed  invasion of Ukraine and it seems likely that tactics used to target Signal users will extend beyond the conflict in Ukraine 

The GTIG report analyses how Russian cyber criminal groups are exploiting vulnerabilities in the Signal messaging app to carry out sophisticated phishing and malware attacks, with a focus on targeting Ukrainian military personnel and other individuals who are of interest to Russian intelligence. 

These attacks are leveraging Signal’s “linked devices” feature, which allows users to access their accounts from multiple devices via a QR code scan. The linked devices feature, which is typically used to provide convenience by syncing messages across devices, has been weaponised by state-sponsored Russian hacking groups, including Sandworm and Turla.

By exploiting this functionality, malicious actors can remotely access victim accounts without fully compromising their devices. Once a victim scans a malicious QR code, the attacker gains access to the victim’s Signal account, enabling them to receive future messages synchronously.

This approach allows cyber criminals to listen in on sensitive communications in real-time, posing significant risks to both  individuals and organisations.

The attacks have been linked to Russian cybercriminal groups, including UNC5792 and UNC4221, who have hosted malicious group invites that mimic legitimate ones. These fake invitations contain harmful code designed to trick victims into linking their Signal accounts to devices controlled by the attackers. In addition to stealing sensitive information, these attacks may also target other encrypted messaging services, including WhatsApp and Telegram, using similar techniques.

GTIG says Malicious QR codes are also being used in close-access operations and in some cases, Russian cyber criminals have captured devices on the battlefield and used them to link Signal accounts back to controlled infrastructure for ongoing exploitation.

Also, researchers have seen that Sandworm has used lightweight scripts to periodically query Signal databases and exfiltrate recent messages, further enhancing their surveillance capabilities.

With cyber criminals leveraging sophisticated tactics to exploit Signal’s linked devices feature, these attacks pose an evolving threat to users of encrypted messaging services worldwide.

Google Cloud     |     I-HLS     |     Politico     |     Cyberscoop   |  Forbes     |     Kyiv Independent

Image: Brett Jordan

You Might Also Read: 

The App At The  Frontline Of Information Warfare:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Hackers Exploiting Malware In Google Docs
Orange Group Hacked - User Data Stolen »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cyber Technology Institute - De Montfort University

Cyber Technology Institute - De Montfort University

The Cyber Technology Institute provides training and high quality research and consultancy services in the fields of cyber security, software engineering and digital forensics.

Datto

Datto

Datto delivers a single toolbox of easy to use products and services designed specifically for managed service providers and the businesses they serve.

SISA

SISA

SISA is a global forensics-driven cybersecurity solutions company, trusted by leading organizations for securing their businesses with robust preventive and corrective cybersecurity solutions.

CTR Secure Services

CTR Secure Services

CTR Secure Services provides a broad range of security consulting services from asset protection to cyber security.

Windscribe

Windscribe

Windscribe is a Virtual Private Network services provider offering secure encrypted access to the internet.

Squalio

Squalio

Squalio is an information technology group that delivers solutions and services for secure and effective IT management.

Crashtest Security

Crashtest Security

Crashtest Security is a cyber security company that helps digital companies to continuously create secure software with the help of automated vulnerability assessments.

TROOPERS

TROOPERS

TROOPERS InfoSec event consists of two days of high-end training, followed by a two-day, three-track conference, culminating in Roundtables on the final day.

Cyber Risk Aware

Cyber Risk Aware

Cyber Risk Aware provide a security awareness and phishing simulation platform that focuses on real threats and educates and empowers employees to be the first line of defence.

Billington CyberSecurity

Billington CyberSecurity

Billington CyberSecurity is a leading, independent education company with an exclusive focus on cybersecurity.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

Codean

Codean

The Codean Review Environment automates mundane software analysis tasks, so security experts can focus on finding vulnerabilities.

Persistent Systems

Persistent Systems

Persistent Systems are a trusted Digital Engineering and Enterprise Modernization partner, combining deep technical expertise and industry experience to help our clients.

e-Xpert Solutions

e-Xpert Solutions

e-Xpert Solutions is a company specialized in the Information Security field since 2001. Our skills are strong technical expertise and the development of tailor-made solutions.

Ivolv Cybersecurity

Ivolv Cybersecurity

Ivolv is here to assist your organization in building effective protection and resilience against cyber attacks.

AI EdgeLabs

AI EdgeLabs

AI EdgeLabs is a powerful and autonomous cybersecurity AI platform that helps security teams respond immediately to ongoing attacks and protect Edge/IoT infrastructures.