Russian Hackers Exploit Linked Devices in Signal to Intercept Sensitive Messages

Russian state-backed hacking groups are increasingly targeting secure messaging applications like Signal, WhatsApp, and Telegram, according to a recent report from Google’s Threat Intelligence Group. The cybercriminals, often linked to Russian intelligence services, are focusing on compromising accounts used by military personnel, politicians, journalists, and activists. While initially concentrated around the conflict in Ukraine, experts believe these tactics will likely spread to other regions and actors in the future.

Exploiting the “Linked Devices” Feature

One of the primary methods employed in these attacks involves exploiting the “linked devices” feature in Signal. Hackers use phishing techniques to trick users into scanning malicious QR codes. These codes secretly link the victim’s Signal account to a device controlled by the attacker, enabling them to eavesdrop on conversations in real-time. This approach allows the attacker to monitor messages without needing access to the entire device.

The phishing QR codes are cleverly disguised as legitimate Signal resources such as group invites, security alerts, or even device pairing instructions. Some phishing pages mimic applications used by the Ukrainian military to further trick victims.

Close-Access Attacks on the Battlefield

In certain cases, Russian state-backed groups have utilized QR codes in close-access scenarios, such as when Russian forces capture devices on the battlefield. This tactic lacks centralized monitoring, making it difficult to detect, and can go unnoticed for long periods.

Specific Groups Behind the Attacks

Several threat groups have been involved in these attacks. UNC5792 (also known as UAC-0195) has been seen modifying legitimate Signal group invite links, redirecting victims to fake pages that initiate unauthorized device linking. The phishing pages look nearly identical to official Signal invites, making them challenging to spot.

Another group, UNC4221 (UAC-0185), has targeted Ukrainian military personnel by embedding malicious QR codes into phishing sites that mimic artillery guidance applications. They’ve also used fake Signal security alerts to deceive victims.

Malware and Scripts to Extract Messages

Beyond phishing, the threat actor group APT44 (also known as Sandworm) has been using malware and scripts to extract Signal messages from compromised Windows and Android devices. The WAVESIGN script is used to retrieve recent messages, while Infamous Chisel malware searches for Signal database files on Android devices.

Other groups, such as Turla and UNC1151, target the desktop application of Signal, utilizing scripts and tools to exfiltrate stored messages. Additionally, UNC4221 has employed a JavaScript payload known as PINPOINT to gather user information and geolocation data.

Similar Threats to WhatsApp and Telegram

Secure messaging apps like Signal are becoming prime targets due to their popularity, and other platforms, including WhatsApp and Telegram, are facing similar threats from these groups. The researchers warned that the growing threat to secure messaging applications is expected to intensify in the coming months.

How to Stay Safe

To protect yourself from these threats, users are advised to take several precautionary steps:

• Use strong screen locks with complex passwords.
• Keep operating systems and apps updated.
• Ensure Google Play Protect is enabled.
• Regularly audit linked devices and exercise caution with QR codes and links.
• Enable two-factor authentication on messaging apps.
• iPhone users at high risk should consider enabling Lockdown Mode for added security.

By staying cautious and following these steps, users can better protect their sensitive communications from this growing threat.