FOCUS MODE
EXTRACT IOC
Threat Research

Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devices” Feature for Espionage in Ukraine 

Cyble
Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devices” Feature for Espionage in Ukraine 
The Google Threat Intelligence Group has revealed that Russia-aligned threat actors are conducting a cyber espionage operation targeting Signal Messenger accounts, specifically focusing on military personnel, politicians, journalists, and activists. This campaign involves using phishing attacks, malware, and manipulations of Signal’s linked devices functionality to access sensitive communications. Affected: Signal Messenger, Ukrainian military, journalists, politicians, activists

Keypoints :

  • Russia-aligned threat actors targeted Signal Messenger accounts as part of a multi-year cyber espionage campaign.
  • The operation is likely influenced by Russia’s intelligence goals during its invasion of Ukraine.
  • Attack methods include phishing, malicious JavaScript payloads, and malware targeting Android and Windows users.
  • Google has collaborated with Signal to implement security measures to counteract these attacks.
  • Phishing tactics have manipulated Signal’s linked devices feature to gain unauthorized access to accounts.
  • Specific threat actor groups, such as UNC5792 and UNC4221, have been identified, employing unique phishing strategies.
  • Malware such as WAVESIGN and Chisel has been utilized to steal Signal messages.
  • Mitigation strategies include enabling strong passwords, auditing linked devices, and using two-factor authentication.

MITRE Techniques :

  • Initial Access (T1071): Phishing methods were employed to deliver malicious QR codes targeting Signal users.
  • Credential Dumping (T1003): WAVESIGN was used to query Signal’s local database for sensitive messages.
  • Exploitation of Remote Services (T1210): Attackers exploited Signal’s “Linked Devices” feature to access accounts through legitimate QR code features.
  • Data Exfiltration (T1041): Techniques such as Rclone and Robocopy were utilized to extract Signal message data from compromised devices.
  • Command and Control (T1071): PowerShell scripts were leveraged by Turla to compress and upload user data to remote attacker-controlled servers.

Indicator of Compromise :

  • [Domain] signal-groups[.]tech
  • [Domain] add-signal-groups[.]com
  • [Domain] signal-confirm[.]site
  • [Hash] e078778b62796bab2d7ab2b04d6b01bf
  • [IP Address] 150.107.31[.]194:18000

Full Story: https://cyble.com/blog/germany-strengthening-cybersecurity-2/

Tags: CRITICAL INFRASTRUCTURE, CLOUD, PHISHING, ANDROID, WINDOWS, INITIAL ACCESS, TOOL, RUSSIA