U.S. Authorities Seek Public Assistance in Pinpointing Russian Cyber Group
Federal authorities are offering a reward of up to $10 million for information that leads to the identification or location of a Russian state-sponsored cyber group believed to have compromised thousands of Signal and WhatsApp accounts. Notably, these accounts belong to investigative journalists and U.S. government personnel, indicating a significant breach of trust and security.
This extensive operation has been active since at least March, when the FBI issued a warning regarding ongoing phishing campaigns. These campaigns are targeting high-value individuals, using tactics typically associated with Russian intelligence services. Attackers have been employing fraudulent messages that appear to be automated support notifications. By prompting users to click links or disclose verification codes and passcodes, these malicious attempts successfully compromise user accounts. Once a target complies, attackers either gain direct access to the account or completely takeover the account, resulting in the user being locked out.
The compromised accounts enable the attackers to read new messages sent to the victims, while a built-in safety feature of Signal prevents them from accessing previous conversations. The victims include individuals categorized as high intelligence targets, which encompasses current and former U.S. government officials, military personnel, political figures, and journalists.
In a recent update, the FBI disclosed that the phishing tactics had evolved. Alongside methods that impersonate support bots to trick individuals into linking their accounts to attacker-controlled devices, attackers now encourage users to back up their communication history. This request includes sending long passcodes that facilitate access to encrypted backups stored on Signal servers, thus allowing attackers to breach even the security of past conversations. The two Russian cyber groups involved have been designated as UNC5792 and UNC4221.
Communications appear to mix legitimate advice with phishing tactics, as one message masqueraded as a security update from Signal. It warned recipients that attempts to hack accounts are on the rise, attributed to third-party device connections. While claiming to have conducted a joint investigation with U.S. and European partners, the message asserted that attackers may originate from Iran and other post-Soviet nations.
The message further suggested implementing two-factor verification and detailed steps for setting up Signal backups. Implicitly urging users to remain vigilant about their security, the message exemplifies the complexities of contemporary cybersecurity threats, where attackers exploit user trust and technical vulnerabilities.
In analyzing the tactics potentially employed during these attacks, various sections of the MITRE ATT&CK framework are relevant. Categories such as “initial access” and “phishing” reflect the methods utilized to infiltrate targeted accounts. Techniques related to “credential dumping” could also be applicable, given the compromised verification codes. As businesses look to safeguard themselves against such threats, awareness of these tactics is essential for developing robust cybersecurity strategies.
In conclusion, the ongoing efforts by federal authorities underline the urgent need for increased vigilance among high-profile individuals and organizations. Cybersecurity is a shared responsibility that requires proactive measures and heightened awareness to mitigate risks posed by sophisticated adversaries in the digital realm.