Threat Insight
Russian Intelligence Compromises Signal Accounts
An unknown Russian threat actor, possibly associated with the Russian military intelligence GRU, has begun using a novel tactic to compromise accounts of the Signal messaging app. Signal is a popular application for sensitive messages.
The attack vector involves the abuse of the app’s legitimate “linked devices” feature that enables Signal to be used on multiple devices concurrently. Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.
Malicious QR codes have frequently been masked as legitimate Signal resources, such as group invites, security alerts, or as legitimate device pairing instructions from the Signal website.
If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.
The same threat actor has previously been associated with attacks aiming to steal account information for WhatsApp accounts. The attacks appears to so far mostly have been reported from Ukraine, but as this has been successful and is hard to detect, this method may be used by other threat actors too in the future.
Recommendations
If you or your organization relies on Signal for highly sensitive communication, please be aware of this technique and be wary of all unsolicited group invites or other QR codes from the app.
References
[1] https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/ [
2] https://cert.gov.ua/article/6278735