Full Report
Google researchers say multiple Russian state threat groups have conducted remote phishing operations to target and compromise Signal accounts. The post Russia-aligned threat groups dupe Ukrainian targets via Signal appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Russia-aligned Threat Groups (Multiple Actors)
## Attribution & Identity
The threat actors are identified as multiple **Russia-aligned state threat groups**. One specific group mentioned is **Sandworm**, which Google tracks as **APT44** and operates on behalf of the Russian Main Military Intelligence Unit 74455 (**GRU**).
## Activity Summary
These groups are engaged in a persistent, ongoing campaign targeting Ukrainian military and government personnel who use the Signal encryption application. The primary goal is to eavesdrop on real-time communications to gain sensitive information related to Russia's invasion of Ukraine. Efforts observed by Google Threat Intelligence Group date back to 2023. Operations observed include remote phishing to compromise Signal accounts, with approximately half of the observed activity being post-compromise actions.
## Tactics, Techniques & Procedures
- Remote phishing operations targeting Signal accounts.
- Use of malicious **QR codes** to trick victims into linking their Signal accounts to attacker-controlled devices via the Signal "linked devices" feature.
- Use of altered legitimate group invites.
- Deployment of fake security alerts.
- Providing device-pairing instructions.
- Post-compromise actions, including linking captured devices (from the battlefield) to attacker-controlled infrastructure for follow-on exploitation.
## Targeting
- Sectors: Military/Defense and Government personnel.
- Geography: Ukraine (targets).
- Victims: Ukrainian military and government personnel; political figures.
## Tools & Infrastructure
- Malware families used: Not explicitly named, but the focus is on gaining persistent access via the Signal application mechanism.
- Infrastructure (C2, domains, IPs): No specific C2 domains or IPs were defanged and listed in the provided text snippet.
## Implications
The increased targeting of secure messaging applications like Signal by state-sponsored actors elevates the risk for platforms adopted for secure communication. This activity demonstrates Russia's persistent intelligence focus on real-time information derived from Ukrainian defense and government communications during the invasion. The volume of tactics targeting end-to-end encrypted apps is noted as steadily increasing.
## Mitigations
- Increased vigilance regarding **Signal QR code scanning** requests, malicious links, and security alerts, especially those potentially designed to exploit the Signal linked devices feature.
- Defense based on recognizing remote phishing operations and unauthorized device-pairing instructions.
- For organizations using Signal, being aware that attackers are actively trying to leverage legitimate features for persistent surveillance.