Russian threat actors have launched sophisticated phishing campaigns that exploit the legitimate “Linked Devices” feature in the Signal messaging app. These attacks aim to gain unauthorized access to accounts of interest, particularly targeting individuals associated with military and governmental operations.
The Rise of Device-Linking Phishing
Over the past year, researchers have observed a surge in phishing operations attributed to Russian state-aligned groups. These groups employ various tactics to trick victims into linking their Signal accounts to devices controlled by the attackers. According to a recent report from the Google Threat Intelligence Group (GTIG), the abuse of Signal’s device linking feature represents the “most novel and widely used technique” in these attempts to compromise accounts.
How the Attack Works
Threat actors leverage the device linking feature by creating malicious QR codes. When victims scan these codes, they inadvertently allow Signal messages to synchronize with the attacker’s device. This simple yet effective trick does not require a full compromise of the target’s device, enabling attackers to monitor secure conversations with ease.
GTIG researchers noted that attackers adapt their methods based on the type of target. In broader campaigns, they disguise malicious QR codes as legitimate app resources, such as Signal group invites or device pairing instructions from the official Signal website. For more targeted attacks, they embed malicious QR codes in phishing pages designed to appeal to specific victims, including applications used by military personnel.
Notable Threat Actors and Techniques
One notorious group, Sandworm (also known as Seashell Blizzard or APT44), has utilized these malicious QR codes to access Signal accounts on devices captured in military operations. Another group tracked as UNC5792 has modified legitimate Signal group invitations to redirect victims to malicious URLs, linking their accounts to attacker-controlled devices.
In these operations, UNC5792 has hosted fake Signal group invitations on infrastructure designed to mimic legitimate invites. The attackers replace the legitimate redirect JavaScript code with a malicious block that includes Signal’s URI for linking a new device, effectively connecting the victim’s account to the attacker’s device when they accept the invitation.
Custom Phishing Kits Targeting Military Personnel
Another Russia-linked threat actor, tracked as UNC4221 and referred to by CERT-UA as UAC-0185, has developed a custom phishing kit specifically targeting Signal accounts of Ukrainian military personnel. This phishing kit impersonates the Kropyva software, which the Armed Forces of Ukraine use for artillery guidance and minefield mapping.
In these attacks, the device-linking trick is masked by a secondary infrastructure designed to impersonate legitimate Signal instructions. Attackers have also used Kropyva-themed phishing to distribute malicious QR codes, alongside older operations that lured victims with fake Signal security alerts hosted on domains mimicking the messaging service.
Broader Implications and Recommendations
GTIG researchers have observed both Russian and Belarusian efforts to search for and collect messages from Signal’s database files on Android and Windows. They have utilized various tools, including the WAVESIGN batch script, the infamous Chisel malware, PowerShell scripts, and the Robocopy command-line utility.
The researchers emphasize that Signal is not the only messaging app under threat. The Coldriver campaign, for instance, targeted WhatsApp accounts of high-value diplomats, showcasing the growing interest of Russian threat actors in secure messaging platforms.
The nature of device-linking compromises makes them difficult to detect and protect against, as there is currently no technical solution to monitor for newly linked devices. When successful, these compromises can go unnoticed for extended periods, posing significant risks to users.
