In a concerning development, Russian state-aligned cyber threat actors have intensified their focus on compromising Signal Messenger accounts, leveraging sophisticated phishing campaigns and malware to intercept sensitive communications.
According to the Google Threat Intelligence Group (GTIG), these operations are primarily aimed at military personnel, politicians, journalists, and activists groups often reliant on secure messaging platforms like Signal to safeguard their communications.
The ongoing conflict in Ukraine has spurred this operational interest, with Russian intelligence services targeting Signal to gain access to critical government and military information.
Beyond Signal, other messaging platforms such as WhatsApp and Telegram have also been subjected to similar tactics, signaling a broader trend in cyber-espionage activities.
Exploitation of Signal’s “Linked Devices” Feature
One of the primary methods employed by these actors involves abusing Signal’s legitimate “linked devices” feature.
This feature allows users to connect multiple devices to a single account by scanning a QR code.
Threat actors have exploited this mechanism by crafting malicious QR codes that link victim accounts to attacker-controlled devices.
Once linked, all future messages are delivered simultaneously to both the victim and the attacker, enabling real-time eavesdropping without requiring full device compromise.
These phishing campaigns often disguise malicious QR codes as group invites or security alerts from Signal, tricking users into linking their accounts.
In some cases, attackers have embedded these codes into phishing pages designed to mimic legitimate military applications or trusted websites.
Notably, advanced persistent threat groups such as APT44 (also known as Sandworm) have used this technique in close-access operations by physically exploiting devices captured on the battlefield.
Broader Cyber-Espionage Tactics
In addition to phishing campaigns, Russian-aligned groups have employed malware and scripts to exfiltrate Signal database files directly from compromised devices.
For instance:
- APT44 has utilized a Windows Batch script called WAVESIGN to extract recent messages from Signal databases on Windows systems.
- The Android malware “Infamous Chisel,” attributed to Sandworm, is designed to search for and exfiltrate Signal database files from mobile devices.
- Turla, another Russian threat actor, has deployed PowerShell scripts for post-compromise exfiltration of Signal Desktop messages.
- Belarus-linked UNC1151 has used tools like Robocopy to stage Signal Desktop directories for later data theft.
According to the Google Threat Intelligence Group, these efforts highlight the growing sophistication of cyber-espionage campaigns targeting secure messaging platforms.
The targeting of Signal underscores the increasing vulnerability of secure messaging applications in high-stakes geopolitical conflicts.
As similar tactics proliferate among other threat actors globally, users are urged to adopt stringent security measures:
- Regularly update messaging applications and operating systems.
- Audit linked devices for unauthorized connections.
- Avoid scanning QR codes from unverified sources.
- Enable two-factor authentication where possible.
This escalation in cyber threats serves as a stark reminder of the need for robust cybersecurity practices in safeguarding sensitive communications from state-sponsored adversaries.
