Full Report
Multiple Russia-aligned threat actors have been observed targeting individuals of interest via the privacy-focused messaging app Signal to gain unauthorized access to their accounts. "The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature that enables Signal to be used on multiple
Analysis Summary
# Incident Report: Signal Account Takeover via Malicious QR Codes
## Executive Summary
Multiple Russia-aligned threat actors (including UNC5792 and UNC4221) have been observed exploiting the legitimate "linked devices" feature within the Signal messaging application to compromise user accounts. The primary vector involves tricking victims, particularly those associated with the Ukrainian military, into scanning malicious QR codes, granting persistent, real-time access to their message history and ongoing communications. Response actions involve publicizing the threat intelligence to alert potential victims.
## Incident Details
- **Discovery Date:** On or around February 19, 2025 (Date of Google Report disclosure).
- **Incident Date:** Ongoing, with past instances identified by threat intelligence groups.
- **Affected Organization:** Individuals using Signal, with a specific focus on personnel associated with the Ukrainian military.
- **Sector:** Telecommunications/Messaging, Defense/Military.
- **Geography:** Global reach of Signal users, with observed targeting focused on Ukraine.
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, ongoing campaign.
- **Vector:** Social engineering combined with malicious QR code presentation.
- **Details:** Attackers distribute malicious QR codes disguised as legitimate Signal group invites, security alerts, or device pairing instructions. Other variants appear on phishing pages mimicking specialized applications used by the Ukrainian military.
### Lateral Movement
- Not applicable in the traditional sense, as the attack focuses on **account hijacking/session linking** rather than internal network traversal.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Persistent eavesdropping capabilities, granting threat actors real-time access to all synchronous messages sent to the victim’s legitimate device. Other threat actors (UNC1151) were noted using utilities like Robocopy to exfiltrate messages from an already infected desktop.
### Detection & Response
- **How it was discovered:** Google Threat Intelligence Group (GTIG) identified the novel attack technique used, primarily by tracking threat actor UNC5792.
- **Response actions taken:** The finding was documented and reported via public threat intelligence briefing, alerting users and security professionals to the specific TTPs.
## Attack Methodology
- **Initial Access:** Social engineering leading to the scanning of a malicious QR code specifically designed to utilize the Signal "Linked Devices" feature.
- **Persistence:** Once linked, the actor-controlled device gains persistent, real-time access to the victim's messages.
- **Privilege Escalation:** Not directly applicable; the attack abuses a built-in application feature rather than escalating OS privileges.
- **Defense Evasion:** Use of seemingly legitimate branding (Signal group invites, fake app interfaces) to bypass user skepticism. UNC5792 used infrastructure designed to appear identical to legitimate Signal invites.
- **Credential Access:** Not explicitly stated as brute-forcing or phishing for initial login credentials, but rather exploiting the device linking mechanism.
- **Discovery:** UNC4221 used a custom phishing kit mimicking the Kropyva application to target Ukrainian military personnel.
- **Lateral Movement:** N/A.
- **Collection:** Real-time message interception via linked session. UNC4221 used PINPOINT (a JavaScript payload) to collect basic user information and geolocation via phishing pages. Sandworm/APT44 used a Windows Batch script (WAVESIGN).
- **Exfiltration:** UNC1151 used the Robocopy utility to actively exfiltrate collected messages from infected desktops.
- **Impact:** Unauthorized mass surveillance of encrypted communications by state-aligned threat actors.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Sensitive communications, potentially military operational details (given the focus on Ukrainian military personnel). Volume/scope unknown.
- **Operational:** Disruption/compromise of secure communications for targeted individuals.
- **Reputational:** Potential damage to the perceived security and privacy of the Signal platform.
## Indicators of Compromise
*(Note: Indicators are highly specific to the secondary malware/scripts used by associated groups, as the primary vector is behavioral QR scanning.)*
- **Network indicators:** Actor-controlled synchronization infrastructure (details not provided, but session traffic would be visible).
- **File indicators:** WAVESIGN (Windows Batch script used by Sandworm).
- **Behavioral indicators:** Unusual or unexpected devices being linked to the Signal account; PINPOINT JavaScript execution on phishing sites.
## Response Actions
- **Containment measures:** Limited immediate containment unless the victim proactively unlinks the malicious device from their Signal settings.
- **Eradication steps:** Users must manually review and remove all linked devices in their settings.
- **Recovery actions:** Re-securing accounts and potentially changing phone numbers if the actor gained deeper access beyond just message relay.
## Lessons Learned
- **Key takeaways:** Multi-device/session linking features, while convenient, represent a significant, high-impact exploit path when paired with strong social engineering. Nation-state actors are actively targeting secure communications platforms.
- **What could have been done better:** (For Signal) Potential for stronger multi-factor authentication or explicit out-of-band verification for linking new devices, potentially addressing the feature vulnerability.
## Recommendations
- Users must be critically suspicious of unsolicited QR codes, even those appearing related to security alerts or group administration.
- Users linked to high-value targets (like military personnel) should frequently audit the "Linked Devices" section in their Signal settings.
- Organizations should educate personnel on advanced phishing techniques that mimic system features (like device pairing) rather than just credential theft.