Full Report
Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. [...]
Analysis Summary
# Threat Actor: Unnamed Russian Phishing Actor Group (Associated with UNC4221/UAC-0185)
## Attribution & Identity
The activity is attributed to actors linked to **Russia**. A specific related threat actor tracked by GTIG as **UNC4221** and by CERT-UA as **UAC-0185** is mentioned in connection with specialized targeting of Ukrainian military personnel.
## Activity Summary
The actors are executing **phishing campaigns** aimed at compromising Signal accounts, primarily targeting Ukrainian military personnel. They exploit Signal's legitimate device-linking feature to illicitly link user accounts to attacker-controlled devices. Recent campaigns observed involved:
1. Modifying legitimate redirect JavaScript code during group invitation processes to use the malicious `sgnl://linkdevice uuid` URI instead of the group joining URI.
2. Using a specialized phishing kit imitating the **Kropyva** software (used by the Armed Forces of Ukraine) to distribute malicious device-linking QR codes.
3. Hosting fake Signal security alerts on domains impersonating the messaging service.
4. Older operations also focused on collecting Signal database files from Android and Windows using specific scripts and tools.
## Tactics, Techniques & Procedures
- **Phishing for Device Linking:** Exploiting Signal's device-linking mechanism via manipulated scripts during group invitations.
- **Impersonation:** Creating landing pages/kits impersonating Kropyva software instructions.
- **QR Code Abuse:** Distributing malicious device-linking QR codes.
- **Data Exfiltration/Collection (Observed in related activity):** Searching for and collecting messages from Signal database files on Android and Windows.
- **MITRE ATT&CK IDs:** Not explicitly provided in the text, but techniques involve Initial Access (Phishing) and Collection.
## Targeting
- **Sectors:** Military/Defense (specifically targeted Ukrainian military personnel).
- **Geography:** Implied focus on **Ukraine**.
- **Victims:** Ukrainian military personnel using Signal and the Kropyva application.
## Tools & Infrastructure
- **Malware Families Used:**
- **Chisel:** Infamous malware observed in database collection efforts.
- **Infrastructure:**
- Secondary infrastructure used to mask the device-linking trick: `signal-confirm[.]site` (Defanged).
- **Other Tools:**
- **WAVESIGN** batch script (for database collection).
- **PowerShell** scripts.
- **Robocopy** command-line utility (for database collection).
## Implications
This threat demonstrates a sophisticated, state-sponsored effort to compromise secure communication platforms used by military targets. The device-linking compromise technique is particularly concerning as it is **difficult to detect and monitor** technically, allowing attackers potential long-term, unnoticed access to communications.
## Mitigations
- Update the Signal application to the latest version, which includes improved protections.
- Activate the screen lock on mobile devices using a long and complex password.
- Regularly check the list of linked devices within Signal settings.
- Exercise extreme caution when interacting with QR codes, especially those received unexpectedly.
- Enable Two-Factor Authentication (2FA) on Signal accounts.