Russian state-backed cyber groups are conducting an aggressive campaign targeting Signal Messenger users, particularly focusing on Ukrainian military personnel, politicians, and journalists, according to a new report from Google's Threat Intelligence Group.
The attackers primarily exploit Signal's "linked devices" feature, which allows users to access their accounts across multiple devices. By creating deceptive QR codes and phishing sites that mirror legitimate Signal pages, threat actors can secretly link victims' accounts to devices under their control, enabling them to intercept private communications.
One Russian-aligned group, UNC5792, has been modifying authentic Signal group invite links to redirect users to fraudulent pages that initiate unauthorized device connections. Another group, UNC4221, specifically targets Ukrainian military members by embedding malicious QR codes within fake artillery guidance application interfaces.
The notorious Russian military intelligence unit Sandworm (APT44) employs more sophisticated techniques, using specialized malware to extract Signal messages from compromised Windows and Android devices. Their WAVESIGN script periodically harvests recent messages, while their Android malware "Infamous Chisel" searches for Signal database files.
Other actors, including the Turla group and Belarusian-linked UNC1151, focus on Signal's desktop application, utilizing PowerShell scripts and system utilities to copy and exfiltrate stored messages.
Google researchers warn that these tactics are likely to expand beyond the Ukrainian conflict zone, potentially affecting Signal users worldwide. Similar techniques are already being used to target other popular messaging platforms like WhatsApp and Telegram.
To protect against these threats, users are advised to:
- Enable strong screen locks with complex passwords
- Keep devices and apps updated
- Regularly check linked devices in Signal settings
- Exercise caution with QR codes and suspicious links
- Enable two-factor authentication where available
High-risk iPhone users should consider activating Lockdown Mode for additional protection against surveillance attempts.