Are your Signal, WhatsApp, or Telegram accounts secure? Recent warnings from Google highlight an escalation in cyberattacks by Russian state-sponsored groups targeting these messaging platforms. Discover how they are intercepting communications and learn how to protect yourself.
According to a recent report from Google’s Threat Intelligence Group, Russian state-sponsored actors are intensifying their efforts to exploit secure messaging systems like Signal to gain access to sensitive communications. These groups are often connected to Russian intelligence services and are particularly focused on compromising accounts belonging to individuals of interest, including military personnel, politicians, journalists, and activists. While the immediate activity appears linked to the conflict in Ukraine, analysts anticipate that these tactics may extend to other regions and to a wider array of threat actors.
A key method of attack involves manipulating the “linked devices” feature inherent in Signal. By employing phishing techniques, attackers can deceive users into scanning malicious QR codes that inadvertently connect the victim’s account to a device controlled by the attacker. This connection allows attackers to receive live messages, essentially eavesdropping on conversations without needing total access to the victim’s device.
These malicious QR codes are often disguised as legitimate notifications from Signal, including group invitations, security warnings, or even device pairing instructions. There have been instances where these codes are embedded in phishing websites that closely mimic platforms, such as those utilized by the Ukrainian military.
In scenarios where Russian military forces capture devices on the battlefield, these malicious QR codes can be particularly effective. This close-access method does not rely on centralized monitoring, enabling it to go unnoticed for significant periods and complicating detection measures.
One group, known as UNC5792 (UAC-0195), has been observed altering legitimate Signal group invitation links. These fraudulent links redirect users to counterfeit pages that initiate unauthorized device linking for the attackers. The deceptive design of these phishing pages closely mirrors that of official Signal invites, raising the difficulty of detection.
Another group identified as UNC4221 (UAC-0185) has targeted Ukrainian military personnel by embedding malicious QR codes in phishing websites that mimic artillery guidance applications. They have also utilized fake Signal security alerts to mislead victims during these operations.
In addition to phishing attacks, the advanced persistent threat group APT44 (Sandworm) has been employing malware and scripts to extract Signal messages from compromised Windows and Android devices. Their WAVESIGN script specifically retrieves recent messages, while the Infamous Chisel malware seeks out Signal database files on Android systems. Moreover, groups like Turla and UNC1151 are focusing on the desktop version of Signal, using various scripts and tools designed to harvest and exfiltrate stored messages. UNC4221 has notably deployed a JavaScript payload named PINPOINT to collect user information and geolocation data from compromised systems.
The growing popularity of secure messaging platforms has made them attractive targets for cyber adversaries, with other applications like WhatsApp and Telegram also experiencing similar threats. The increasing operational emphasis on Signal by multiple threat actors in recent months serves as a critical warning regarding the escalating risks to secure messaging applications.
In light of these developments, users should remain vigilant, employing strong screen locks with complex passwords, ensuring that operating systems and applications are up to date, and activating Google Play Protect. Regular audits of linked devices, exercising caution with QR codes and hyperlinks, as well as utilizing two-factor authentication are essential steps to enhance security. For those at heightened risk, especially iPhone users, enabling Lockdown Mode may be advisable.
