Signal, as an encrypted messaging app and protocol, stays relatively secure. But Signal’s growing popularity as a tool to bypass surveillance has led agents affiliated with Russia to try to control the app’s users into surreptitiously linking their devices, in keeping with Google’s Threat Intelligence Group.
While Russia’s continued invasion of Ukraine is probably going driving the country’s desire to work around Signal’s encryption, “We anticipate the tactics and methods used to focus on Signal will grow in prevalence within the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” writes Dan Black at Google’s Threat Intelligence blog.
There was no mention of a Signal vulnerability within the report. Nearly all secure platforms may be overcome by some type of social engineering. Microsoft 365 accounts were recently revealed to be the goal of “device code flow” OAuth phishing by Russia-related threat actors. Google notes that the newest versions of Signal include features designed to guard against these phishing campaigns.
The first attack channel is Signal’s “linked devices” feature, which allows one Signal account for use on multiple devices, like a mobile device, desktop computer, and tablet. Linking typically occurs through a QR code prepared by Signal. Malicious “linking” QR codes have been posted by Russia-aligned actors, masquerading as group invites, security alerts, and even “specialized applications utilized by the Ukrainian military,” in keeping with Google.
Apt44, a Russian state hacking group inside that state’s military intelligence, GRU, has also worked to enable Russian invasion forces to link Signal accounts on devices captured on the battlefront for future exploitation, Google claims.
