Russian state-linked hacking groups have snuck into some Ukrainian military staffers’ Signal messenger accounts to gain access to sensitive communications, Google said in a report on Wednesday.
Moscow-linked groups have found ways to couple victims’ accounts to their own devices by abusing the messaging application “linked devices” feature that enables a user to be logged in on multiple devices at the same time.
In some cases, Google has found Russia’s notorious, stealthy hacking group Sandworm (or APT44, part of the military intelligence agency GRU), to work with Russian military staff on the front lines to link Signal accounts on devices captured on the battlefield to their own systems, allowing the espionage group to keep tracking the communication channels.
In other cases, hackers have tricked Ukrainians into scanning malicious QR codes that, once scanned, link a victim’s account to the hacker’s interface, meaning future messages will be delivered both to the victim and the hackers in real time.
Russia-linked groups including UNC4221 and UNC5792 have been sending altered Signal “group invite” links and codes to Ukrainian military personnel, Google said.
Signal is considered an industry benchmark for secure, end-to-end encrypted messaging, as it collects minimal data and its end-to-end encryption protocol is open-source, meaning cybersecurity experts can continuously check it for glitches. The European Commission and European Parliament are some of the government institutions that have advised staff to use the application over competing messaging apps.
Google’s research did not suggest the app’s encryption protocol itself was vulnerable, but rather that the app’s “linked devices” functionality was being abused as a workaround.
Google is now warning the workarounds to snoop on Signal data could pop up beyond Ukraine too.
“We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” said Dan Black, cyber espionage researcher at Google Cloud’s Mandiant group.
Other messaging apps, including WhatsApp and Telegram, have similar functionalities to link devices’ communications and could be or become the target of similar lures, Google suggested.
Signal did not respond to a request for comment at the time of publication.
The post Russian hackers find ways to snoop on Ukrainian Signal accounts appeared first on Politico.
