Signal is hugely popular in Ukraine, with the military a big user of the encrypted messaging app. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)
SOPA Images/LightRocket via Getty Images
Russian hackers have been trying to break into Ukrainian military staff Signal accounts by exploiting a key feature of the encrypted messaging app, according to Google researchers.
Google found multiple examples of Russian hackers targeting Signal with malicious QR codes. The encrypted messaging app uses those codes to link user accounts across multiple devices. This attack uses bogus codes that link accounts to devices operated by the hackers who send them.
“If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise,” Dan Black, principal analyst at Google’s Threat Intelligence Group, wrote in a report published on Wednesday.
Google found multiple instances of the attack being used in the wild. In one case, a bogus Armed Forces of Ukraine web page included a prompt directing soldiers to join a Signal group by scanning an embedded QR code that would link the user’s Signal to Russian operators.
“Penetrating these devices can provide a surreptitious lens into various types of sensitive information that can have grave consequences if they are compromised.”
Black believes the attacks to be orchestrated by the Kremlin-backed cyber espionage group Sandworm, best known for taking down Ukrainian energy infrastructure in 2015 and 2016 attacks. Its operatives have been seen working with Russian military on the ground in Ukraine to hack into the Signal accounts of phones seized on the battlefield.
Black told Forbes that while secure messaging apps can be a crucial means of communication for military personnel, their utility cuts both ways. “Because they provide such critical capabilities, penetrating these devices can provide a surreptitious lens into various types of sensitive information that can have grave consequences if they are compromised,” he said.
Google also found examples of multiple Russian groups creating malware for Windows and Android to grab Signal data from the Microsoft and Google operating systems.
Victor Zhora, former deputy head at State Service for Special Communications and Information Protection (SSSCIP), told Forbes that attacks on Signal had become commonplace in Ukraine since the start of the war, especially via the “Qishing” (phishing via QR code) method. That’s largely because of the wide popularity of the app in the country and its use by the military, he added.
Black said Moscow had upped its targeting of encrypted messaging apps around the invasion’s first anniversary in the spring of 2023, with Ukraine’s counteroffensive on the horizon and Russia on the defensive.
Signal has been working with Google on the research, according to Black’s report, and has added some “hardening” in the latest versions of the app. “Although the attacks were not exploiting any vulnerabilities in Signal, we made several changes to help raise awareness and protect users from the types of social engineering attacks that the report describes,” said Signal senior technologist Josh Lund. He told Forbes the updated app includes a new user interface that makes it clearer when someone is linking a new device. A notification will allow the user to review and remove any unknown or unwanted linked devices with one touch, Lund said.
Other than updating to the latest version of Signal, the Ukraine security services have previously recommended troops “be extra careful when getting messages with such words as ‘urgent,’ ‘emergency,’ and ‘important’ from an unverified sender… Urgency is often exploited by criminals for hacking through trust and haste.”