icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger

Summary:
Google Threat Intelligence Group (GTIG) has observed and analyzed a significant uptick in Russian-aligned cyber operations targeting Signal Messenger to compromise accounts belonging to individuals of interest to Russian intelligence services like GRU. The seemingly emerging interest in this messaging platform has likely occurred due to wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine. Malware delivery is achieved primarily through malicious QR codes, often disguised as legitimate Signal resources or embedded in phishing pages mimicking applications used by the Ukrainian military. Scanning these QR codes links the victim's account to an attacker-controlled device, enabling real-time eavesdropping without requiring full device compromise. Beyond Signal, these groups are also targeting other platforms like WhatsApp and Telegram, as demonstrated by COLDRIVER's (Star Blizzard) campaign against WhatsApp. This threat includes close-access operations, not just remote attacks, highlighting the importance of physical security measures.

APT Groups Involved:
  • UNC5792/UAC-0195
  • UNC4221/UAC-0185
  • APT44/Sandworm/Seashell Blizzard
  • Turla
  • UNC1151
Security Officer Comments:
Microsoft has stated that they anticipate the tactics and methods used to target Signal will grow in prevalence in the near term and proliferate to additional threat actors and regions outside the Ukrainian theater of war. The core of this attack lies in the misuse of a legitimate feature. This "living off the land" approach makes detection significantly harder, as the activity itself isn't inherently malicious. The success of the attacks hinges on effective social engineering, emphasizing the importance of user awareness in high-risk environments. Masquerading malicious QR codes as legitimate Signal resources, group invites, security alerts, or even Ukrainian military applications relies on user trust and familiarity.

The observed attacks utilize multiple delivery mechanisms, remote and physical. The use of tailored phishing pages mimicking specialized applications used by the Ukrainian military demonstrates the group’s resorucefulness and targeted approach. In the midst of a wave of China-aligned telco cyberattacks late last year, the US government urged individuals of interest to switch to encrypted messaging apps like Signal to mitigate data breaches and it has become a popular app for high-value targets. Therefore, it's unsurprising that Russia-aligned threat groups have begun targeting Signal accounts for sensitive information. This report from GTIG aims to warn organizations regarding the tactics and methods used to date to help build public awareness and help better safeguard from similar threats. Recent Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns going forward. Update to the latest version to enable these features.

Suggested Corrections:
IOCs are available here.

Microsoft Recommendations
Potential targets of government-backed intrusion activity targeting their personal devices should adopt practices to help safeguard themselves, including:
  • Enable screen lock on all mobile devices using a long, complex password with a mix of uppercase and lowercase letters, numbers, and symbols. Android supports alphanumeric passwords, which offer significantly more security than numeric-only PINs or patterns.
  • Install operating system updates as soon as possible and always use the latest version of Signal and other messaging apps.
  • Ensure Google Play Protect is enabled, which is on by default on Android devices with Google Play Services. Google Play Protect checks your apps and devices for harmful behavior and can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.
  • Audit linked devices regularly for unauthorized devices by navigating to the "Linked devices" section in the application's settings.
  • Exercise caution when interacting with QR codes and web resources purporting to be software updates, group invites, or other notifications that appear legitimate and urge immediate action.
  • If available, use two-factor authentication such as fingerprint, facial recognition, a security key, or a one-time code to verify when your account is logged into or linked to a new device.
  • iPhone users concerned about targeted surveillance or espionage activity should consider enabling Lockdown Mode to reduce their attack surface.
Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger

Contact Us for Threat Assistance
Back to Current Threats