Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures. Cybersecurity researchers have warned that these Signal attacks are part of Moscow’s broader espionage operations aimed at gaining access to sensitive communications that could support its war effort against Ukraine.
Signal as a Prime Espionage Target
A report from Google’s security team highlights that Signal’s widespread adoption among military personnel, politicians, journalists, and activists has made it an attractive target for Russian hackers. However, other messaging platforms, including WhatsApp and Telegram, have also been subject to similar targeting tactics.
Ukrainian cybersecurity officials have previously cautioned that Russian hacker groups actively exploit vulnerabilities in Signal to infiltrate the communications of government and defense officials. The primary method employed by these groups involves phishing attacks, which deliver malware designed to spy on victims.
Abuse of Signal’s “Linked Devices” Feature
One of the most innovative and frequently used techniques uncovered by Google involves the exploitation of Signal’s legitimate “linked devices” feature. This feature allows users to sync their Signal account across multiple devices, a capability that hackers have found ways to abuse.
Malicious QR Codes
Hackers craft malicious QR codes necessary to link a new device to an existing Signal account. When a target scans the code, their Signal account becomes accessible to an attacker-controlled device, allowing messages to be intercepted in real time. This technique provides cybercriminals with a persistent backdoor to monitor victims’ communications without needing full device compromise.
Methods of QR Code Distribution
- Phishing Campaigns – Hackers disguise malicious QR codes as legitimate Signal group invites, security alerts, or other trusted communications.
- Military-Themed Phishing Pages – Malicious QR codes are embedded into phishing pages that impersonate applications used by Ukrainian military personnel.
- Captured Battlefield Devices – Russian military forces, aided by the notorious Sandworm hacking group, have been linking Signal accounts from seized Ukrainian devices to attacker-controlled systems for intelligence gathering.
Russian Threat Actors Behind Signal Attacks
Several Russian state-affiliated hacking groups have been identified as key players in these cyber espionage campaigns.
Sandworm
Sandworm, also known as APT44, has been a driving force behind the compromise of Signal accounts. Google researchers found evidence that Sandworm has assisted Russian military units in hijacking Signal accounts from battlefield devices to further exploit the information contained within.
UNC4221 and UNC5792
UNC4221, another Russian threat actor, has developed a Signal phishing kit designed to mimic the Ukrainian military’s Kropyva artillery guidance application. This tactic deceives victims into linking their Signal accounts to attacker-controlled devices. Additionally, UNC4221 has deployed a JavaScript payload known as Pinpoint, which collects user data and geolocation information.
UNC5792 has been observed modifying legitimate Signal group invites, replacing them with phishing links that redirect users to malicious URLs, ultimately linking victim accounts to hacker-controlled devices.
Signal Database Exfiltration
Beyond linking hacker-controlled devices to victims’ accounts, Russian-aligned threat actors have also developed methods to steal Signal database files from Android and Windows devices.
- Sandworm’s Wavesign Malware – Deployed to extract messages from victims’ Signal databases.
- Turla’s PowerShell Script – Used to exfiltrate messages from Signal’s desktop version.
- Infamous Chisel Malware – Attributed to Sandworm and identified by Ukraine’s Security Service (SSU) and the UK’s National Cyber Security Centre (NCSC). This Android malware searches for Signal database files for extraction.
- UNC1151’s Use of Robocopy – Belarus-linked hacking group UNC1151 has leveraged the command-line tool Robocopy to stage Signal message files for later exfiltration.
Implications and Future Threats
Google’s research indicates that these attacks are primarily driven by wartime demands for access to sensitive Ukrainian government and military communications. However, the threat landscape is evolving, with researchers expecting these tactics to spread beyond the Ukrainian conflict.
“There appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity,” Google’s security team noted.
The focus on Signal is a reminder that secure messaging applications, despite their strong encryption, remain attractive targets for state-sponsored espionage. Experts anticipate that similar tradecraft will be adopted by additional threat actors, posing a risk to at-risk communities worldwide.
Defensive Measures and Signal’s Response
In response to these emerging threats, Signal has been actively working to enhance its security features. The latest Signal releases for Android and iOS include updates designed to mitigate phishing attempts and unauthorized device linking.
Google researchers have urged users to take precautions, including:
- Verifying QR Codes – Never scan QR codes received from unknown sources.
- Updating Signal Regularly – Ensuring the latest security updates are installed.
- Monitoring Linked Devices – Regularly checking and removing any unknown devices from the linked devices list in Signal settings.
- Using Multi-Factor Authentication (MFA) – Enabling MFA where possible to add an additional layer of security.
The aggressive targeting of Signal by Russian state-backed hackers highlights the evolving nature of cyber threats in modern warfare. As Signal and other secure messaging platforms continue to play a crucial role in global communications, users—especially those in high-risk environments—must remain vigilant against phishing attacks and other espionage techniques.
