Signal, as an encrypted messaging app and protocol, remains relatively secure. But Signal’s growing popularity as a tool to circumvent surveillance has led agents affiliated with Russia to try to manipulate the app’s users into surreptitiously linking their devices, according to Google’s Threat Intelligence Group.
While Russia’s continued invasion of Ukraine is likely driving the country’s desire to work around Signal’s encryption, “We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” writes Dan Black at Google’s Threat Intelligence blog.
There was no mention of a Signal vulnerability in the report. Nearly all secure platforms can be overcome by some form of social engineering. Microsoft 365 accounts were recently revealed to be the target of “device code flow” OAuth phishing by Russia-related threat actors. Google notes that the latest versions of Signal include features designed to protect against these phishing campaigns.
The primary attack channel is Signal’s “linked devices” feature, which allows one Signal account to be used on multiple devices, like a mobile device, desktop computer, and tablet. Linking typically occurs through a QR code prepared by Signal. Malicious “linking” QR codes have been posted by Russia-aligned actors, masquerading as group invites, security alerts, or even “specialized applications used by the Ukrainian military,” according to Google.
Apt44, a Russian state hacking group within that state’s military intelligence, GRU, has also worked to enable Russian invasion forces to link Signal accounts on devices captured on the battlefront for future exploitation, Google claims.
Another ease-of-use feature, Signal “Group Link” invite pages, is similarly being exploited, with its QR codes linking a user’s device instead of adding them into a group chat. These and other methods, including a phishing kit themed to look like Ukraine’s artillery guidance app, Kropyva, are often hosted on a lookalike URL, such as “signal-confirm.site,” or “signal-protect.host.”
Other methods used by APT44 and other actors include malware on Windows and Android devices, which search out Signal databases, then prepare the messages for scraping and transmission, according to Google.
The Threat Intelligence post notes that while Signal is a known and popular target, “this threat is not only limited to Signal, but also extends to other widely used messaging platforms, including WhatsApp and Telegram.” Microsoft last month posted about a campaign by Russia-aligned Star Blizzard to deploy a similar device-linking phishing attack against WhatsApp users engaged with Ukrainian topics.
The best defense against device-linking Signal hijacking, Google suggests, is good security hygiene: implementing complex screen-locking passphrases (not just numbers); keeping devices up to date; regularly checking a linked device’s list in Signal or other apps; and being exceptionally wary of QR codes and group chat invites you did not request.
APT44 and other Russia-linked hacking groups working primarily in espionage have recently been seen collaborating frequently with financial cybercriminals. Financially motivated hackers get access to previously unavailable tools and rich targets, while nation-state actors can make use of “bulletproof” servers that resist law enforcement takedowns and muddle their identities and motivations with the larger crime world.