Russian state-sponsored hackers are intensifying efforts to compromise Signal messenger accounts, focusing on Ukrainian military personnel and officials. Through phishing attacks and the exploitation of Signal’s features, these cyber espionage activities aim to intercept sensitive communications. Affected: Signal messenger, Ukrainian military, government officials
Keypoints :
- Russian hackers are targeting Signal accounts of Ukrainian military and government officials.
- The attacks are part of a broader Russian espionage campaign related to the war in Ukraine.
- Phishing attacks are the primary method used to compromise Signal accounts.
- Signal’s “linked devices” feature is exploited to monitor communications across multiple devices.
- Malicious QR codes are crafted to link devices to attacker-controlled accounts.
- Russian hackers disguise malicious QR codes within trusted communications.
- Key Russian state actors involved include Sandworm, UNC4221, and UNC5792.
- Signal’s database is targeted to extract messages from users’ accounts.
- Signal has issued updates to enhance security and prevent unauthorized linking of devices.
- Individuals are advised to verify QR codes, update Signal regularly, and use multi-factor authentication.
MITRE Techniques :
- Tactic: Credential Access (T1078) – Procedure: Phishing attacks commonly deliver malware aimed at compromising Signal accounts.
- Tactic: Credential Access (T1071) – Procedure: Exploitation of Signal’s “linked devices” feature to access sensitive communications.
- Tactic: Command and Control (T1071) – Procedure: Use of malicious QR codes to link devices, allowing real-time message interception.
- Tactic: Exfiltration (T1041) – Procedure: Sandworm deploys Wavesign malware to extract Signal messages from databases.
- Tactic: Exfiltration (T1041) – Procedure: Use of Turla’s PowerShell script to exfiltrate data from Signal’s desktop version.
Full Story: https://thecyberexpress.com/signal-attacks-russian-fackers-target/