Pierluigi Paganini
February 19, 2025
Google Threat Intelligence Group (GTIG) researchers warn of multiple Russia-linked threat actors targeting Signal Messenger accounts used by individuals of interest to Russian intelligence. The experts speculate that the tactics, techniques, and procedures used to target Signal will be prevalent in the near term, and they will be also employed in regions outside Ukraine.
Russian hackers exploit Signal’s “linked devices” feature, they use specially crafted QR codes to link victims’ accounts to attacker-controlled devices, and then spy on them.
“The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.” reads the report published by GTIG. “If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.”
Russian hackers use malicious QR codes disguised as Signal resources to hijack accounts, targeting military apps and even linking captured devices to their servers.
In some phishing attacks, attackers frequently masked malicious QR codes as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website.
In some spear-phishing attacks, attackers embedded the QR codes in phishing pages crafted to appear as specialized applications used by the Ukrainian military.
APT44 (Sandworm) enables Russian forces to link captured Signal accounts to their servers, using battlefield devices for further exploitation.
The alleged Russia-linked cyberespionage group UNC5792 (which partially overlaps with a threat actor tracked as UAC-0195 by CERT-UA) was spotted modifying Signal group invites in phishing campaigns to trick recipients into linking their accounts to attacker-controlled devices.
UNC5792 replaces JavaScript in fake Signal invites with a malicious URI, tricking victims into linking their accounts to attacker-controlled devices.
Another Russia-linked APT, tracked as UNC4221, targets Ukrainian military accounts using a phishing kit mimicking the Kropyva artillery guidance app.
“Similar to the social engineering approach used by UNC5792, UNC4221 has also attempted to mask its device-linking functionality as an invite to a Signal group from a trusted contact.” continues the report. “Different variations of this phishing kit have been observed, including:
UNC4221 uses the PINPOINT JavaScript payload to gather user data and geolocation via the browser’s API.
Researchers also reported that Russian and Belarus-linked threat actors were able to steal Signal database files from Android and Windows devices using scripts, malware, and command-line tools fordata exfiltration.
“As reflected in wide ranging efforts to compromise Signal accounts, this threat to secure messaging applications is not limited to remote cyber operations such as phishing and malware delivery, but also critically includes close-access operations where a threat actor can secure brief access to a target’s unlocked device.” concludes the report. “Equally important, this threat is not only limited to Signal, but also extends to other widely used messaging platforms, including WhatsApp and Telegram, which have likewise factored into the targeting priorities of several of the aforementioned Russia-aligned groups in recent months.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia-linked threat actors)
