Russian Hackers Penetrate Ukrainian Signal Accounts
.jpg)
Google Threat Intelligence Group (GTIG) has monitored the efforts by Russia state-aligned threat actors to compromise and penetrate Signal Messenger accounts used by individual users who are of interest to Russia's intelligence services.
In particular, Russian hackers have found ways to connect their victims' accounts to their own devices by abusing the messaging application “linked devices” feature that enables a user to be logged in on multiple devices at the same time.
These hacks have been prompted by military demands to gain access to sensitive government and military communications following Russia's failed invasion of Ukraine and it seems likely that tactics used to target Signal users will extend beyond the conflict in Ukraine
The GTIG report analyses how Russian cyber criminal groups are exploiting vulnerabilities in the Signal messaging app to carry out sophisticated phishing and malware attacks, with a focus on targeting Ukrainian military personnel and other individuals who are of interest to Russian intelligence.
These attacks are leveraging Signal’s “linked devices” feature, which allows users to access their accounts from multiple devices via a QR code scan. The linked devices feature, which is typically used to provide convenience by syncing messages across devices, has been weaponised by state-sponsored Russian hacking groups, including Sandworm and Turla.
By exploiting this functionality, malicious actors can remotely access victim accounts without fully compromising their devices. Once a victim scans a malicious QR code, the attacker gains access to the victim’s Signal account, enabling them to receive future messages synchronously.
This approach allows cyber criminals to listen in on sensitive communications in real-time, posing significant risks to both individuals and organisations.
The attacks have been linked to Russian cybercriminal groups, including UNC5792 and UNC4221, who have hosted malicious group invites that mimic legitimate ones. These fake invitations contain harmful code designed to trick victims into linking their Signal accounts to devices controlled by the attackers. In addition to stealing sensitive information, these attacks may also target other encrypted messaging services, including WhatsApp and Telegram, using similar techniques.
GTIG says Malicious QR codes are also being used in close-access operations and in some cases, Russian cyber criminals have captured devices on the battlefield and used them to link Signal accounts back to controlled infrastructure for ongoing exploitation.
Also, researchers have seen that Sandworm has used lightweight scripts to periodically query Signal databases and exfiltrate recent messages, further enhancing their surveillance capabilities.
With cyber criminals leveraging sophisticated tactics to exploit Signal’s linked devices feature, these attacks pose an evolving threat to users of encrypted messaging services worldwide.
Google Cloud | I-HLS | Politico | Cyberscoop | Forbes | Kyiv Independent
Image: Brett Jordan
You Might Also Read:
The App At The Frontline Of Information Warfare:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible
