Russian state-aligned threat actors have intensified their efforts to compromise Signal Messenger accounts, targeting individuals of strategic interest, according to the Google Threat Intelligence Group (GTIG).
These campaigns, primarily linked to Russia’s ongoing military operations in Ukraine, aim to intercept sensitive communications from military personnel, politicians, journalists, and activists.
The attackers are exploiting Signal’s “linked devices” feature, which allows users to connect multiple devices to their accounts.
.png
)
By deploying malicious QR codes disguised as legitimate resources such as group invites or security alerts threat actors can link victim accounts to actor-controlled devices, enabling real-time interception of messages.
The abuse of the linked devices feature has emerged as a low-signature attack vector.
Once a device is linked, it becomes challenging to detect unauthorized access since there are limited centralized mechanisms for monitoring such compromises.
This method has been employed in both remote phishing operations and close-access scenarios where physical access to devices was possible.
Sophisticated Phishing Campaigns
Two prominent Russian-linked groups, UNC5792 and UNC4221, have been identified as key players in these operations.
UNC5792 has modified legitimate Signal group invite pages by embedding malicious Uniform Resource Identifiers (URIs) that redirect victims to link their accounts to attacker-controlled devices.
According to the Google Threat Intelligence Group, these phishing pages are hosted on domains designed to mimic legitimate Signal infrastructure.
Similarly, UNC4221 has developed tailored phishing kits targeting Ukrainian military personnel.
These kits often masquerade as components of trusted applications like Kropyva, used for artillery guidance.
The group employs malicious QR codes embedded within phishing websites or fake security alerts, tricking victims into linking their accounts.
Beyond phishing campaigns, other Russian and Belarusian threat actors have deployed malware and scripts to exfiltrate Signal database files directly from compromised Android and Windows devices.
For example, the malware “Infamous Chisel,” attributed to the GRU-linked APT44 group, searches for Signal database files on Android devices.
Turla, another Russian actor associated with the FSB, has used PowerShell scripts in post-compromise scenarios to extract Signal Desktop messages.
Implications for Secure Messaging Platforms
The targeting of Signal underscores a broader trend of escalating threats against secure messaging platforms like WhatsApp and Telegram.
The tactics employed by these threat actors highlight the growing demand for offensive cyber capabilities aimed at surveilling sensitive communications in conflict zones and beyond.
To mitigate these risks, users are advised to adopt robust security practices such as enabling complex passwords and two-factor authentication, regularly auditing linked devices for unauthorized access, and exercising caution when interacting with QR codes or suspicious links.
Signal has also introduced updates with enhanced protections against such phishing campaigns, emphasizing the importance of keeping apps up-to-date.
As state-backed cyber operations evolve, secure messaging applications will remain high-value targets for espionage and surveillance activities.
This trend necessitates heightened vigilance from both users and developers to safeguard critical communications from adversarial exploitation.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting –Â Register Here
