https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
Google’s Threat Intelligence Group (GTIG) has observed a surge in efforts by multiple Russian state-aligned threat actors to compromise Signal Messenger accounts, particularly those belonging to individuals of interest to Russian intelligence services.
These groups are exploiting Signal’s “linked devices” feature by using malicious QR codes to link victim accounts to attacker-controlled devices, allowing them to eavesdrop on secure conversations in real-time. This tactic has proven effective due to its low-signature nature, making it difficult to detect.
GTIG has identified several threat actors involved in these campaigns, including:
- UNC5792: This group modifies legitimate Signal group invite pages to redirect victims to malicious URLs that link their accounts to attacker devices.
- UNC4221: This group operates a tailored Signal phishing kit that mimics applications used by the Ukrainian military, embedding malicious QR codes or redirecting victims to fake device-linking instructions.
- APT44 (Sandworm): This group has been observed using malware and scripts to steal Signal database files from compromised Android and Windows devices.
- Turla: This Russian threat actor uses PowerShell scripts to exfiltrate Signal Desktop messages.
- UNC1151: This Belarus-linked group uses command-line utilities to stage Signal Desktop files for exfiltration.
The targeting of Signal, along with other messaging apps like WhatsApp and Telegram, highlights a growing trend of state-sponsored actors seeking to intercept secure communications. GTIG recommends users take several precautions, including:
- Enabling strong screen locks on mobile devices.
- Keeping operating systems and messaging apps updated.
- Regularly auditing linked devices.
- Exercising caution with QR codes and suspicious links.
- Using two-factor authentication.
This increased activity underscores the importance of heightened security awareness and proactive measures to protect against these sophisticated attacks.