Russian Threat Actors Target Signal Accounts
Multiple Russia-aligned threat actors have been observed exploiting the linked devices feature of the privacy-focused messaging app Signal to gain unauthorized access to user accounts.
According to a report from Google Threat Intelligence Group (GTIG), attackers are leveraging malicious QR codes to link victims’ Signal accounts to actor-controlled devices, allowing them to intercept messages in real time.
How Hackers Hijack Signal Accounts
Abuse of Linked Devices Feature
The linked devices feature in Signal enables users to sync their accounts across multiple devices. Threat actors, particularly one tracked as UNC5792, have exploited this feature by distributing malicious QR codes disguised as legitimate invitations or security alerts.
When a victim scans the QR code, their Signal account unknowingly becomes linked to an attacker’s instance. This enables attackers to eavesdrop on conversations as messages are delivered synchronously to both the victim and the threat actor.
Fake Group Invites and Phishing Pages
Google reports that UNC5792 has hosted fake Signal group invitations on infrastructure designed to resemble legitimate Signal links. Additionally, some phishing campaigns have embedded malicious QR codes in web pages masquerading as Ukrainian military applications.
Other Threat Actors Targeting Signal
UNC4221 and Custom Phishing Kits
Another Russian-linked group, UNC4221 (aka UAC-0185), has specifically targeted Ukrainian military personnel by deploying custom phishing kits that mimic elements of Kropyva, an artillery guidance application used by the Armed Forces of Ukraine.
A JavaScript payload known as PINPOINT has also been deployed, allowing attackers to gather basic user information and geolocation data.
Sandworm, Turla, and UNC1151 Operations
Other Russian-affiliated threat actors engaging in Signal account hijacking include:
- Sandworm (APT44) – Uses a Windows Batch script named WAVESIGN.
- Turla – Deploys a lightweight PowerShell script for account compromise.
- UNC1151 – Utilizes Robocopy to exfiltrate messages from infected desktops.
Broader Implications for Secure Messaging Apps
Rising Threats to Secure Communication
The disclosure from Google follows a Microsoft Threat Intelligence report linking Russian hackers, specifically Star Blizzard, to spear-phishing campaigns targeting WhatsApp accounts via similar device-linking exploits.
Additionally, Microsoft and Volexity recently revealed that multiple Russian cyber actors are using device code phishing to hijack accounts on platforms like WhatsApp, Signal, and Microsoft Teams.
Growing Risks Beyond Phishing Attacks
Google warns that threats to secure messaging applications are expanding beyond remote cyber operations like phishing and malware delivery. Attackers are also employing close-access techniques, where they briefly gain physical access to a target’s unlocked device to compromise their accounts.
New SEO Poisoning Campaign Distributes Malware
Fake Download Pages Spreading Infostealers
In a separate but related development, researchers have uncovered an SEO poisoning campaign that uses fake download pages impersonating apps like Signal, LINE, Gmail, and Google Translate. These pages distribute backdoored executables aimed at Chinese-speaking users.
According to Hunt.io, these executables follow a consistent attack pattern involving:
- Temporary file extraction
- Process injection
- Security modifications
- Network communications
The malware strain, referred to as MicroClip, exhibits functionality similar to infostealers, further raising concerns about malicious actors targeting secure communication platforms.
Conclusion
The surge in Signal-focused cyberattacks highlights the growing threats to secure messaging applications. With multiple Russian-aligned actors actively exploiting the linked devices feature, users must remain vigilant against phishing attempts, malicious QR codes, and fake download pages.
To enhance security, Signal users are advised to:
- Verify QR codes before scanning.
- Enable two-factor authentication (2FA).
- Regularly check linked devices for suspicious connections.
- Avoid clicking on unsolicited group invitations.
As cyber threats continue to evolve, safeguarding private communications should be a top priority for individuals and organizations alike.
