Russian state-aligned threat actors have made increasing efforts over the past year to compromise Signal Messenger accounts used by individuals of interest to Russia’s intelligence services.

According to research by Google’s Threat Intelligence Group, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques.

The researchers found that the most novel and widely used technique underpinning the attempted compromise is by abusing the app’s legitimate “linked devices” feature. This enables Signal to be used on multiple devices concurrently.

As linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim’s account to an actor-controlled Signal instance.

If successful, future messages will be delivered synchronously to both the victim and the threat actor in real-time, providing a persistent means to eavesdrop on the victim’s secure conversations without the need for full-device compromise.

“Notably, this device-linking concept of operations has proven to be a low-signature form of initial access due to the lack of centralised, technology-driven detections and defenses that can be used to monitor for account compromise via newly linked devices,” said report author Dan Black, principal analyst at the Google Threat Intelligence Group.

“When successful, there is a high risk that a compromise can go unnoticed for extended periods of time.”

Researchers cited several examples of instances it has seen using this technique, such as altering legitimate “group invite” pages to replace the expected redirection to a Signal group with a redirection to a malicious URL crafted to link an actor-controlled device to the victim’s Signal account.

Black said: “The varied tactics being used by Russia to target Signal, ranging from remote phishing operations to close-access exploitation using physical access to target devices, provides an urgent warning for the escalating threat to the tools publics increasingly rely upon for secure and private communications. We judge it highly likely that these tactics will proliferate outside of Ukraine and see more global use in the near-term future.”

Black also praised Signal for their close partnership in investigating this activity, and confirmed that the latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.