This post is also available in:
עברית (Hebrew)
In a recent report, Google Threat Intelligence Group (GTIG) detailed how Russian cybercriminal groups are exploiting vulnerabilities in the Signal messaging app to carry out sophisticated phishing and malware attacks, with a focus on targeting Ukrainian military personnel and other individuals of interest to Russian intelligence. These attacks are leveraging Signal’s “linked devices” feature, which allows users to access their accounts from multiple devices via a QR code scan.
The linked devices feature, which is typically used to provide convenience by syncing messages across devices, has been weaponized by threat actors such as Sandworm and Turla. By exploiting this functionality, malicious actors can remotely access victim accounts without fully compromising their devices. Once a victim scans a malicious QR code, the attacker gains access to the victim’s Signal account, enabling them to receive future messages synchronously. This approach allows cybercriminals to eavesdrop on sensitive communications in real-time, posing significant risks to individuals and organizations.
The attacks have been linked to Russian-aligned cybercriminal groups, including UNC5792 and UNC4221, who have hosted malicious group invites that mimic legitimate ones. These fake invites contain harmful code designed to trick victims into linking their Signal accounts to devices controlled by the attackers. In addition to stealing sensitive information, these attacks may also target other encrypted messaging services, including WhatsApp and Telegram, using similar techniques.
According to GTIG, Malicious QR codes are also being used in close-access operations. In some cases, Russian cybercriminals have captured devices on the battlefield and used them to link Signal accounts back to controlled infrastructure for ongoing exploitation. In addition, researchers have noted that Sandworm has used lightweight scripts to periodically query Signal databases and exfiltrate recent messages, further enhancing their surveillance capabilities.
With cybercriminals leveraging sophisticated tactics to exploit Signal’s linked devices feature, these attacks pose an evolving threat to users of encrypted messaging services worldwide.
