Google’s Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
These operations, attributed to groups such as APT44 (Sandworm), UNC5792, UNC4221, and Turla, aim to compromise secure communications used by military personnel, politicians, and activists. By abusing Signal’s “linked devices” feature, these actors gain persistent access to victims’ messages, facilitating covert surveillance in real time.
Targeting Signal for cyber-espionage
GTIG's investigation revealed that Russian hackers have been exploiting Signal’s legitimate device-linking mechanism, which allows users to access their accounts across multiple devices. Attackers craft malicious QR codes and phishing websites to trick victims into linking their Signal accounts to an attacker-controlled device. Once linked, the threat actors receive all incoming and outgoing messages without needing to breach the entire device.
Key threat groups and their methods include:
- UNC5792: This group alters legitimate Signal group invites, redirecting victims to attacker-controlled domains where they unknowingly link their accounts. Fake domains such as signal-groups[.]tech and signal-group[.]com have been used in these attacks.
- UNC4221: This actor developed a custom phishing kit designed to mimic the Kropyva artillery guidance system, a tool used by the Ukrainian military. Phishing pages with fake security alerts or Signal login prompts trick users into linking their devices.
- APT44 (Sandworm): Unlike others focusing on phishing, APT44 operates closer to the battlefield, using compromised physical devices captured from Ukrainian forces. These devices are linked back to Russian-controlled infrastructure for real-time intelligence gathering.
- Turla & UNC1151: These groups focus on exfiltrating Signal’s database files from Windows and Android devices using scripts and malware like Infamous Chisel and WAVESIGN.
Signal Messenger is widely used for encrypted communications, particularly by those at risk of state-sponsored surveillance, such as journalists, government officials, and military personnel. Its strong privacy features have made it a prime target for cyber-espionage, as gaining access to a Signal account can expose highly sensitive information. While Signal remains a secure platform, the exploitation of its device-linking feature highlights a growing threat to encrypted messaging apps.
Recommendations for users
To mitigate these attacks, Google and Signal have implemented enhanced security features in recent updates. Users are advised to update Signal to the latest version on Android and iOS, regularly audit linked devices in Signal’s settings, and remove any unrecognized connections. Be cautious of QR codes in unexpected messages, particularly those requesting account access or offering group invites, and enable two-factor authentication (2FA) to add an extra layer of security. For high-risk users, consider enabling Lockdown Mode on iPhones to reduce attack surfaces.
The exploitation of Signal is part of a broader trend, with Russian-aligned groups also targeting other secure messaging platforms like WhatsApp and Telegram. Microsoft recently reported similar tactics used against WhatsApp users. As cyberwarfare intensifies, encrypted communications remain a key battleground, with state-backed actors seeking new ways to infiltrate private conversations.
Insight Partners Investigates Data Breach Following Cyberattack
Leave a Reply