Russian Hackers Penetrate Ukrainian Signal Accounts

Google Threat Intelligence Group (GTIG) has monitored the efforts by Russia state-aligned threat actors to compromise and penetrate Signal Messenger accounts used by individual users who are of interest to Russia's intelligence services.

In particular, Russian hackers have found ways to connect their victims' accounts to their own devices by abusing the messaging application “linked devices” feature that enables a user to be logged in on multiple devices at the same time.

These hacks have been prompted by military  demands to gain access to sensitive government and military communications following Russia's failed  invasion of Ukraine and it seems likely that tactics used to target Signal users will extend beyond the conflict in Ukraine 

The GTIG report analyses how Russian cyber criminal groups are exploiting vulnerabilities in the Signal messaging app to carry out sophisticated phishing and malware attacks, with a focus on targeting Ukrainian military personnel and other individuals who are of interest to Russian intelligence. 

These attacks are leveraging Signal’s “linked devices” feature, which allows users to access their accounts from multiple devices via a QR code scan. The linked devices feature, which is typically used to provide convenience by syncing messages across devices, has been weaponised by state-sponsored Russian hacking groups, including Sandworm and Turla.

By exploiting this functionality, malicious actors can remotely access victim accounts without fully compromising their devices. Once a victim scans a malicious QR code, the attacker gains access to the victim’s Signal account, enabling them to receive future messages synchronously.

This approach allows cyber criminals to listen in on sensitive communications in real-time, posing significant risks to both  individuals and organisations.

The attacks have been linked to Russian cybercriminal groups, including UNC5792 and UNC4221, who have hosted malicious group invites that mimic legitimate ones. These fake invitations contain harmful code designed to trick victims into linking their Signal accounts to devices controlled by the attackers. In addition to stealing sensitive information, these attacks may also target other encrypted messaging services, including WhatsApp and Telegram, using similar techniques.

GTIG says Malicious QR codes are also being used in close-access operations and in some cases, Russian cyber criminals have captured devices on the battlefield and used them to link Signal accounts back to controlled infrastructure for ongoing exploitation.

Also, researchers have seen that Sandworm has used lightweight scripts to periodically query Signal databases and exfiltrate recent messages, further enhancing their surveillance capabilities.

With cyber criminals leveraging sophisticated tactics to exploit Signal’s linked devices feature, these attacks pose an evolving threat to users of encrypted messaging services worldwide.

Google Cloud     |     I-HLS     |     Politico     |     Cyberscoop   |  Forbes     |     Kyiv Independent

Image: Brett Jordan

You Might Also Read: 

The App At The  Frontline Of Information Warfare:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Hackers Exploiting Malware In Google Docs
Orange Group Hacked - User Data Stolen »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Institute for National Security and Counterterrorism (INSCT)

Institute for National Security and Counterterrorism (INSCT)

INSCT is a center for the study of national security, international security, and counterterrorism. Research programs include New Frontiers in Science, Cyber, & Technology

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

Cyber Senate

Cyber Senate

Cyber Senate is dedicated to bringing Operators of Essential Services together with global subject matter experts to address the challenges of evolving cyber threats to critical infrastructure.

Security Brokers

Security Brokers

Security Brokers focus services and solutions with a focus on strategic ICT Security and Cyber Defense issues.

Centre for the Protection of National Infrastructure (CPNI) - UK

Centre for the Protection of National Infrastructure (CPNI) - UK

CPNI works with the National Cyber Security Centre (NCSC), Cabinet Office and lead Government departments and agencies to drive forward the UK's cyber security programme to counter cyber threats.

DG Technology

DG Technology

DG Technology is a customer-centric technology expert and business consultant that delivers services and products to minimize your information security, compliance, and business risks.

Resilience First

Resilience First

Resilience First is a not-for-profit organisation, led and funded by business to strengthen collective business resilience in all areas, including cyber security.

LightEdge Solutions

LightEdge Solutions

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected.

Brimondo

Brimondo

At Brimondo we help you to maximize and protect your brand value by being a proactive and strategic partner within brand protection with experts within intellectual property and digital assets.

Salt Cybersecurity

Salt Cybersecurity

Salt Cybersecurity offer a four-pronged approach to information security that includes Custom Security Policy, Vulnerability Assessment, Threat Detection, and Security Awareness Training.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

DigitalWell

DigitalWell

DigitalWell provide fully managed IT and communications solutions for a truly innovative end-to-end experience - for your customers and teams.

Olympix

Olympix

Dev-first Web3 security that starts at the source. Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.

SecurWeave

SecurWeave

SecurWeave's Configurable Hardware Enforced Safety and Security (CHESS) platform has been designed to meet the security and safety criticality needs of the evolving digital industry.

Sword Group

Sword Group

Sword is a leader in data insights, digital transformation and technology services with a substantial reputation in complex IT, business projects and mission critical operations.

Edera

Edera

Edera is changing the way containers are run and secured, making isolation a reality and fundamentally transforming computing in the process.