Russian Espionage Attacks Target Signal Messenger Feature

Researchers with Mandiant are warning of an increasing wave of attacks by Russian threat actors that aims to target victims’ Signal Messenger accounts in order to spy on their conversations. 

In the most widespread and novel technique observed by researchers, threat actors are abusing a legitimate QR device linking feature on Signal in order to link victims’ accounts to actor-controlled Signal instances, “providing a persistent means to eavesdrop on the victim's secure conversations without the need for full-device compromise,” said Dan Black with Mandiant on Wednesday. 

Key Details:

• Threat actors in particular are abusing the Signal app’s legitimate “linked devices” feature, which allows users to link multiple devices - including Signal Desktop or iPad - to their phones. In order to enable this feature, users typically scan a quick-response (QR) code

• Threat actors are crafting malicious QR codes that link victims’ accounts to actor-controlled Signal instances when scanned. That means future messages are delivered both to victims and threat actors in real time, said researchers

• These malicious QR codes have been sent in phishing operations and disguised as legitimate Signal resources (including group invites or security alerts), but researchers have also found them embedded in phishing landing pages that purport to be specialized applications used by the Ukrainian military

The Background: Researchers said the device linking feature abuse in particular is a “low-signature form of initial access due to the lack of centralized, technology-driven detections and defenses that can be used to monitor for account compromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed for extended periods of time.”

For attackers, this has paved the way for malware delivery and phishing capabilities, and in one instance, the threat group known as APT44 (also known as Sandworm) also leveraged the abilities for close-access operations, where Russian military forces linked Signal accounts that were on devices captured on battlefields back to attacked-controlled infrastructure. 

Why It Matters: Researchers said that beyond these more targeted techniques that involve the linked devices feature, they are seeing multiple known threat actors incorporating capabilities into their toolsets that aim to steal Signal database files from Windows and Android devices.

Overall, these recent measures reflect a heightened focus on Signal - as well as other widely used messaging apps like WhatsApp and Telegram - by Russian threat actors, particularly against individuals that may be of interest to Russia’s intelligence services, said Mandiant researchers. The targeting of Signal is concerning because the app is used by military personnel, politicians, journalists, activists and more. 

“While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” said Black.

What to Do: According to researchers, the latest iOS and Android Signal releases included hardened features that help protect against these types of phishing campaigns, so Signal users should update to the latest version.

Mandiant researchers also said that potential targets of government-backed intrusions should take on extra security measures to protect their personal devices, including enabling screen lock on their mobile devices with long, complex passwords, installing operating system updates as soon as possible, and using the latest version of Signal and other messaging apps.