Russia-aligned threat groups dupe Ukrainian targets via Signal

Russian state threat groups have compromised Signal accounts used by Ukrainian military and government personnel to eavesdrop on real-time communications, Google Threat Intelligence Group said in a report released Wednesday.

“This is a persistent, ongoing campaign being carried out by multiple different Russia-aligned threat actors,” Dan Black, principal analyst at Google Threat Intelligence Group, said in an email to CyberScoop.

Researchers observed three threat groups escalating efforts to compromise Signal accounts, likely to gain access to sensitive information of interest to Russia’s intelligence services, including intelligence on the country’s invasion of Ukraine. Some of the ongoing efforts date back to 2023.

Government officials, political figures and vulnerable populations have turned to Signal and other encrypted messaging apps to reduce the risk of cybercriminals snooping on communications. Federal cyber authorities in December encouraged the use of Signal and other encrypted message apps in the wake of Salt Typhoon’s spree of attacks on U.S. and global telecom networks.

Threat groups’ growing efforts to target Signal and other secure messaging applications puts the outlook for these platforms — alternatives to less secure forms of communication — at elevated risk.

“Targeting tends to scale with popularity,” Black said. “The more society adopts these secure messaging apps for day-to-day use, the more we are likely to see them targeted by other threat actors across espionage and financial motives.”

The volume of tactics and Russia-aligned threat groups targeting end-to-end encrypted messaging apps is steadily increasing, Black said.

The most widely used technique observed by Google threat intelligence involves abuse of Signal’s linked devices feature, which allows users to access the app on multiple devices concurrently. Threat groups have crafted and tricked Ukrainian military and government personnel into scanning malicious QR codes that link the victim’s account to a threat group-controlled Signal account.

Remote phishing operations — including malicious QR codes, altered legitimate group invites, security alerts and other device-pairing instructions — have provided Russian threat groups a persistent means to surveil conversations in real time.

About half of the activity observed by Google Threat Intelligence Group was post-compromise, according to a researcher with the group.

Sandworm, a threat group Google tracks as APT44 that operates on behalf of the Russian Main Military Intelligence Unit 74455 (GRU), has also enabled Russian military forces to link Signal accounts on devices captured on the battlefield to infrastructure controlled by the threat group for follow-on exploitation, the report said. 

Google linked two other suspected Russian threat groups — UNC5792 and UNC4221 — to active targeting of Signal accounts.

Google Threat Intelligence Group said it investigated the malicious activity with Signal, which pushed security updates to its Android and iOS apps to help bolster accounts against similar phishing techniques in the future. 

Signal did not respond to a request for comment.

Researchers warn the threat isn’t limited to Signal, but extends to other messaging platforms, including WhatsApp and Telegram.

“This latest activity is yet another example of the lengths threat actors will go through to find novel methods to compromise sensitive, encrypted communications,” Black said. “The good news though is these encrypted messaging apps present a substantial challenge for all threat actors — even those backed by the GRU — to collect these signals at scale.”