Russian Hackers Penetrate Ukrainian Signal Accounts

Google Threat Intelligence Group (GTIG) has monitored the efforts by Russia state-aligned threat actors to compromise and penetrate Signal Messenger accounts used by individual users who are of interest to Russia's intelligence services.

In particular, Russian hackers have found ways to connect their victims' accounts to their own devices by abusing the messaging application “linked devices” feature that enables a user to be logged in on multiple devices at the same time.

These hacks have been prompted by military  demands to gain access to sensitive government and military communications following Russia's failed  invasion of Ukraine and it seems likely that tactics used to target Signal users will extend beyond the conflict in Ukraine 

The GTIG report analyses how Russian cyber criminal groups are exploiting vulnerabilities in the Signal messaging app to carry out sophisticated phishing and malware attacks, with a focus on targeting Ukrainian military personnel and other individuals who are of interest to Russian intelligence. 

These attacks are leveraging Signal’s “linked devices” feature, which allows users to access their accounts from multiple devices via a QR code scan. The linked devices feature, which is typically used to provide convenience by syncing messages across devices, has been weaponised by state-sponsored Russian hacking groups, including Sandworm and Turla.

By exploiting this functionality, malicious actors can remotely access victim accounts without fully compromising their devices. Once a victim scans a malicious QR code, the attacker gains access to the victim’s Signal account, enabling them to receive future messages synchronously.

This approach allows cyber criminals to listen in on sensitive communications in real-time, posing significant risks to both  individuals and organisations.

The attacks have been linked to Russian cybercriminal groups, including UNC5792 and UNC4221, who have hosted malicious group invites that mimic legitimate ones. These fake invitations contain harmful code designed to trick victims into linking their Signal accounts to devices controlled by the attackers. In addition to stealing sensitive information, these attacks may also target other encrypted messaging services, including WhatsApp and Telegram, using similar techniques.

GTIG says Malicious QR codes are also being used in close-access operations and in some cases, Russian cyber criminals have captured devices on the battlefield and used them to link Signal accounts back to controlled infrastructure for ongoing exploitation.

Also, researchers have seen that Sandworm has used lightweight scripts to periodically query Signal databases and exfiltrate recent messages, further enhancing their surveillance capabilities.

With cyber criminals leveraging sophisticated tactics to exploit Signal’s linked devices feature, these attacks pose an evolving threat to users of encrypted messaging services worldwide.

Google Cloud     |     I-HLS     |     Politico     |     Cyberscoop   |  Forbes     |     Kyiv Independent

Image: Brett Jordan

You Might Also Read: 

The App At The  Frontline Of Information Warfare:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Hackers Exploiting Malware In Google Docs
Orange Group Hacked - User Data Stolen »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Foundation for Strategic Research (FRS)

Foundation for Strategic Research (FRS)

The Foundation for Strategic Research is France's main independent think tank on strategic, defense and security issues. Cyber security is covered as part of the study areas.

Digital Defense Inc (DDI)

Digital Defense Inc (DDI)

DDI offers vulnerability scanning, penetration testing, web application testing, social engineering and additional security assessments.

CionSystems

CionSystems

CionSystems provides identity, access and authentication solutions to improve security and streamline IT infrastructure management.

ECOS Technology

ECOS Technology

ECOS Technology specializes in the development and sale of IT solutions for high-security remote access as well as the management of certificates and smart cards.

Quadron  Cybersecurity Services

Quadron Cybersecurity Services

Quadron Cybersecurity Services is a specialist in digital security, data and system protection.

Coalition

Coalition

Coalition combines comprehensive insurance and proprietary security tools to help businesses manage and mitigate cyber risk.

TypingDNA

TypingDNA

TypingDNA uses AI to recognise people by the way they type on desktop keyboards and mobile devices.

Athreon

Athreon

Athreon utilizes a fusion of AI technology, human interpretation, and the latest in cybersecurity to deliver sound business solutions that help our clients make better data-driven decisions.

OwnBackup

OwnBackup

OwnBackup proactively prevents you from losing mission-critical data and metadata with automated backups and rapid, stress-free recovery.

QGroup

QGroup

QGroup has been re-designing the consultancy industry since 2012. We're a rapidly expanding group of consulting companies that deliver bespoke IT services including cybersecurity.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

Kriptos

Kriptos

Kriptos helps businesses improve their cybersecurity, risk, and compliance strategies by locating critical information through a technology that automatically classifies and labels documents using AI.

Project Cypher

Project Cypher

Project Cypher leverages the latest cybersecurity developments, a world class team of hackers and constant R&D to provide you with unparalleled cybersecurity offerings.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.

DynTek

DynTek

DynTek delivers exceptional, cost-effective professional IT consulting services, end-to-end IT solutions and managed IT services.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.