Multiple threat groups aligned with Russia are currently focusing their efforts on the Signal Messenger application, particularly targeting individuals likely to engage in sensitive military and governmental communications amid the ongoing conflict in Ukraine. This activity has been identified by researchers at Google’s Threat Intelligence Group (GTIG), who recently reported that, at present, these attacks seem to be aimed primarily at individuals of interest to Russian intelligence services.
Likely to Become More Prevalent
According to Dan Black, a threat analyst at Google, the tactics employed in these campaigns are expected to gain traction in the near future, potentially spreading to other threat actors and regions beyond the immediate Ukrainian conflict. The two primary Russian cyber-espionage groups identified in this context are UNC5792, tracked by Ukraine’s CERT as UAC-0195, and UNC4221, also known as UAC-0185. Their objective is to deceive targeted victims into linking their Signal accounts to devices controlled by the attackers, allowing the latter to access incoming messages.
The attacks exploit the “linked devices” feature of the Signal app, which enables users to securely connect and synchronize their accounts across multiple devices. However, the methods employed by each group to trick their targets into linking their accounts differ slightly. UNC5792 has been observed sending invitations that appear to be legitimate Signal group invites, accompanied by a malicious QR code. When victims scan this code, they inadvertently link their accounts to a device controlled by the attackers.
In contrast, UNC4221 has developed a customized phishing kit that mimics elements of Kropyva, an application utilized by Ukraine’s military for artillery guidance. This group has created phishing sites themed around Kropyva, embedding malicious QR codes within them. Additionally, they have set up fake sites that purport to provide legitimate instructions for linking devices on Signal, further encouraging victims to scan their harmful QR codes.
Broad Threat Actor Interest
Google’s analysis highlights that UNC4221 and UNC5792 are among several Russian and Belarusian groups targeting Signal Messenger to surveil individuals of interest. Notably, not all attacks from these groups have involved device linking. The notorious Sandworm cyber-sabotage group, tracked by Google as APT44, has been found stealing messages directly from a target’s Signal database or local storage using various malware tools. Similarly, Turla, a threat actor associated with Russia’s Federal Security Service (FSB), employs a lightweight PowerShell script to extract information after gaining access to a target’s environment. Another group, Belarus-linked UNC1151, utilizes the Robocopy Windows file-copying tool to duplicate and store Signal messages and attachments for future theft.
The surge in activity targeting Signal underscores a growing interest among attackers in secure messaging applications favored by those engaged in espionage and intelligence gathering, including politicians, military personnel, activists, privacy advocates, and journalists. The robust security features of these apps, such as end-to-end encryption and minimal data collection practices, have made them popular among at-risk individuals and communities, simultaneously rendering them high-value targets for adversaries seeking to intercept sensitive information.
Signal is not alone in this regard; Russian groups have also turned their sights on Telegram and WhatsApp users. Black pointed to a recent Microsoft report detailing attacks by the Russian group Star Blizzard, also known as Coldriver, Blue Charlie, Callisto, and UNC4057, which targeted WhatsApp accounts belonging to current and former government officials and diplomats. Notably, attacks on WhatsApp can also have implications for businesses, as the app, while primarily consumer-focused, is widely used by companies globally. WhatsApp even offers a business version designed to facilitate customer engagement, accelerate sales, and enhance customer support.
