Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Google Expects Tactics to Spread; Global Targets and Other Services at Risk
Russian nation-state hackers are targeting Ukrainian users of the end-to-end encrypted chat app Signal via phishing attacks, say security researchers.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Analysis by the Google Threat Intelligence Group found that multiple Russian threat actors have sought to find exploitable data security cracks – mainly through social engineering. The app’s popularity among politicians, journalists and activists makes it a high-value target for threat actors seeking sensitive information.
Russian tactics against Ukrainian Signal users are likely a preview of what users spread across the globe will face, Google warned. “We anticipate the tactics and methods used to target Signal will grow in prevalence in the near term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.”
Russian hackers’ big insight has been that circumventing end-to-end encryption doesn’t require a cryptographic attack when malicious prompting can prod victims into simply exposing their messages. The most novel and widely used technique observed by Google researchers has been malicious QR codes being sent to users, designed to abuse a Signal function that allows users to download the app onto multiple devices.
The linked devices function lets users simultaneously access their account through a phone and through a desktop device while synchronizing the message history across both devices. Linking an additional device typically requires scanning a QR code. By introducing their own, malicious code into this process, a threat actor can link their own device to a victim’s Signal account, giving them perpetual future access to the full text of messages.
“When successful, there is a high risk that a compromise can go unnoticed for extended periods of time,” Google warned.
Threat actors have camouflaged malicious QR codes as Signal group invites, “or as legitimate device pairing instructions from the Signal website,” Google wrote. More tailored attempts have shown up as QR codes embedded in phishing pages crafted to appear as specialized applications used by targeted Ukrainians. The Russian hacking group popularly known as Sandworm – known inside the Kremlin as Unit 74455 of the General Staff Main Intelligence Directorate Main Center for Special Technologies – is also working with Russian forces to link Signal accounts on devices captured on the battlefield.
Another tactic, deployed by a threat actor Google tracks as UNC5792, involves sending malicious group invites. Rather than redirecting to a Signal group, the link takes the victim to a page that links the victim account to a threat actor’s account. Ukrainian cyber defenders track this threat actor involved as UAC-0195.
Signal did not immediately respond to a request for comment. In the wake of this research, Signal has hardened its linked device feature, said Dan Black, principal analyst at Google Threat Intelligence Group.
Russian state hackers are using similar tactics to target other types of encrypted services, including WhatsApp and Telegram. Microsoft recently uncovered a similar campaign tied to a Russian Federal Security Service threat actor tracked as Callisto Group, ColdRiver and Star Blizzard, that used QR codes to target WhatsApp accounts linked to dozens of civil society organizations and journalists.