Recent revelations from the Google Threat Intelligence Group indicate that Russia-backed hacking groups have significantly advanced their techniques to infiltrate encrypted messaging platforms, including Signal, WhatsApp, and Telegram. This development poses a serious threat to journalists, politicians, and activists who may be targeted by Russian intelligence services.
Linked devices targeted
In a concerning trend, these hackers are focusing on Signal’s “linked devices” feature, which allows users to connect their messaging accounts to multiple devices through a quick response (QR) code. Analysts have reported that malicious QR codes have been created, enabling hackers to gain real-time access to victims’ messages without needing to breach their devices directly. In one alarming incident, access to a compromised Signal account reportedly led to a Russian artillery strike against a Ukrainian military unit, resulting in casualties.
Moreover, these groups have been observed disguising their malicious codes as legitimate invitations for Signal group discussions or as instructions from the Signal website, further complicating detection efforts.
Russia-compromised Signal found on battlefield phones
The Sandworm group, associated with the Russian military, has been implicated in compromising Signal accounts on devices captured during battlefield operations in Ukraine. Research from Google’s Mandiant team has uncovered a Russian-language website providing instructions for pairing Signal or Telegram accounts with infrastructure controlled by this group. The implication is clear: these capabilities are being utilized to send sensitive communications back to Russian military intelligence for exploitation.
Compromise likely to go undetected
The nature of these attacks, particularly those exploiting Signal’s device linking feature, makes them difficult to detect. Successful breaches can remain unnoticed for extended periods. Google has identified a cluster of attackers known as UNC5792, who have employed modified Signal group invite pages to link victims’ accounts to devices under their control, thus gaining access to private messages. Other groups have developed phishing kits that mimic legitimate Signal components, further blurring the lines between security and vulnerability.
Signal databases attacked on Android
In addition to these tactics, multiple threat actors have been observed stealing Signal database files from compromised Android and Windows devices. The UK’s National Cyber Security Centre and Ukraine’s Security Service have issued warnings about the Sandworm group’s deployment of Android malware, Infamous Chisel, which scans for messaging applications and extracts sensitive data. This malware can package Signal messages in an unencrypted format for exfiltration, posing a significant risk to user privacy.
Encrypted messaging services under threat
The growing frequency of attacks on Signal serves as a stark reminder of the vulnerabilities facing secure messaging services. Google has cautioned that the demand for offensive cyber capabilities aimed at monitoring sensitive communications is on the rise, suggesting that these attacks will only intensify in the near future.
Attacks exploit ‘legitimate function’
Users of encrypted messaging platforms are not only at risk from traditional phishing and malware attacks but also from the potential for threat actors to gain access to their devices through legitimate functions. Dan Black, a principal analyst at Google, emphasized the insidious nature of these attacks, which exploit Signal’s features rather than attempting to break encryption directly. He urged users to be cautious about linking their devices, especially when engaging in sensitive communications.
Signal and Telegram targeted
Beyond Signal, Russia-aligned groups have also targeted other popular messaging platforms, including Telegram. A hacking group linked to Russia’s FSB has shifted its tactics to employ social engineering attacks against users of WhatsApp, particularly those involved in government, diplomacy, and defense policy. High-profile individuals, including politicians and journalists critical of the Russian government, have been victims of these attacks, highlighting the pervasive threat posed by these cyber operations.
Signal hardens security
In response to these threats, Signal has taken proactive measures to enhance the security of its pairing function. Following insights from Google, Signal has implemented updates to mitigate risks from social engineering and phishing attacks. These improvements include an overhauled interface that alerts users to potential unauthorized device links and additional authentication steps to ensure that only the primary device owner can add new linked devices. Users are now notified whenever a new device is linked, allowing for prompt action against any unauthorized access.
As the landscape of cyber threats continues to evolve, it remains crucial for users of encrypted messaging services to remain vigilant and informed about the risks associated with their communications.
