Google report warns of Russian threat groups targeting Signal Messenger

A new report released today by Google LLC’s Threat Intelligence Group warns that Russian state-backed threat actors are increasingly targeting Signal Messenger users in an effort to intercept sensitive communications.

The report details how multiple Russian-aligned cyber espionage groups have focused on compromising Signal accounts through the app’s “linked devices” feature. Attackers use phishing tactics to trick users into scanning malicious QR codes, which covertly link their Signal accounts to adversary-controlled devices.

The Russian threat groups monitored by Google’s researchers were found to be targeting accounts used by individuals of interest to Russia’s intelligence services. Not surprisingly, many of the targets were Ukrainian, but the tactics and methods used to target Signal are noted to likely grow in prevalence in the near term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.

Among the Russian threat groups detailed in the report, one group, tracked by Google as UNC5792 but also known as UAC-0195, was found to be modifying legitimate Signal group invite links to redirect users to fake pages that initiate unauthorized device linking. The group’s phishing infrastructure is designed to look identical to official Signal invite pages, making it difficult for victims to recognize the deception.

Another threat actor tracked as UNC4221 (UAC-0185), was found to be targeting Ukrainian military personnel by disguising malicious QR codes within phishing sites that resemble applications used for artillery guidance. In some cases, attackers have also embedded fake Signal security alerts to lure victims into linking their devices to attacker-controlled infrastructure.

Beyond phishing attacks, the Russian military intelligence hacking unit APT44, best known as Sandworm, was found to be using malware and scripts to exfiltrate Signal messages from compromised Windows and Android devices. The group’s WAVESIGN batch script allows attackers to retrieve recent Signal messages periodically, while the Android malware Infamous Chisel searches for Signal database files.

Other Russian-aligned groups, such as Turla and Belarusian-linked UNC1151, were found to be targeting Signal’s desktop application to extract stored messages. These actors utilize PowerShell scripts and command-line utilities like Robocopy to copy and stage Signal data for later exfiltration.

“Signal’s popularity among common targets of surveillance and espionage activity — such as military personnel, politicians, journalists, activists and other at-risk communities — has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements,” the Google researchers explain. “More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques.”

In anticipation of a wider adoption of similar tradecraft by other threat actors, they added, “we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threats.”

The researchers are advising potential targets and others to implement strong security measures on their personal devices, including enabling a screen lock with a long, complex password instead of a simple PIN, keeping operating systems and messaging apps updated, and ensuring Google Play Protect is enabled to detect malicious activity. Users should also regularly audit linked devices in Signal’s settings, which can help identify unauthorized access, while exercising caution with QR codes and suspicious web links can prevent phishing attempts.

Additional recommendations include enabling two-factor authentication where available, such as fingerprint recognition, security keys or onetime codes, to add an extra layer of security. The researchers add that iPhone users at high risk of surveillance should also consider activating Lockdown Mode, which significantly reduces attack surfaces.

Image: SiliconANGLE/Ideogram