Google’s Threat Intelligence Group (GTIG) has observed increasing efforts by Russian state-aligned threat actors to compromise Signal Messenger accounts, specifically targeting individuals of interest to Russian intelligence services.
This activity appears to be a direct response to the demands of the ongoing conflict in Ukraine, where access to sensitive military and government communications is highly sought after. Signal, known for its strong encryption and popularity among at-risk groups such as military personnel, politicians, journalists, and activists, has become a prime target for espionage.
Russian-aligned groups, in particular, are using advanced techniques to intercept private conversations on the platform. Besides Signal, threat actors are also focusing on other messaging apps like WhatsApp and Telegram.
One of the most novel techniques observed is the abuse of Signal’s legitimate “linked devices” feature, which allows users to access their Signal accounts on multiple devices. Typically, linking an additional device requires scanning a QR code. Malicious actors have exploited this process by creating fake QR codes that, when scanned, link a victim’s Signal account to an attacker-controlled device. This allows adversaries to eavesdrop on messages in real-time, without fully compromising the victim’s device.
In terms of execution, malicious QR codes have been used in phishing attacks that masquerade as legitimate Signal group invites, security alerts, or device-pairing instructions from Signal’s official website. Additionally, more targeted attacks have involved phishing pages appearing to be specialized apps used by the Ukrainian military, embedding the malicious device-linking QR codes within them.
Beyond remote phishing, some Russian actors, including APT44 (also known as Sandworm or Seashell Blizzard), have used the device-linking technique in close-access operations. These operations have allowed Russian military forces to link captured devices back to actor-controlled infrastructure.
One specific espionage cluster, UNC5792, has exploited the device-linking weakness by modifying legitimate Signal group invites. The altered invites redirect victims to malicious URLs that link their Signal accounts to the attacker’s device, enabling persistent surveillance. Similarly, another Russian group, UNC4221, has developed a custom phishing kit that mimics Ukrainian military apps and uses the same device-linking technique, sometimes embedded in fraudulent security alerts from Signal.
On a broader scale, multiple threat actors have also been observed stealing Signal database files from Android and Windows devices. For instance, APT44 has used a script called WAVESIGN to query Signal messages from victim databases and exfiltrate them. Similarly, a malware known as Infamous Chisel, attributed to Sandworm, has been found targeting Signal’s database files on Android devices. Turla, another Russian group, has used PowerShell scripts to exfiltrate Signal Desktop messages post-compromise. In some cases, Belarus-linked threat actor UNC1151 has also employed command-line utilities like Robocopy to collect and exfiltrate Signal message data.
