Ethical Hacking News
Russia-Backed Hackers Exploit Signal's Linked Devices Feature to Circumvent Encryption
The Russians-backed hackers are trying to trick users into installing malicious software on their devices through fake QR codes that appear as group invites or security alerts. The primary attack channel used is Signal's "linked devices" feature, which allows a user's account to be linked across multiple devices. The threat can be mitigated by implementing good security hygiene practices such as complex passphrases, keeping devices up-to-date and regularly checking linked device lists. Russia-aligned hackers are collaborating with financially motivated cybercriminals who use "bulletproof" servers to resist law enforcement takedowns and obscure their identities.
Signal, a popular encrypted messaging app and protocol, has been targeted by Russia-backed hackers who are attempting to manipulate its users into surreptitiously linking their devices. According to Google's Threat Intelligence Group, these hackers have been using QR codes linked to group invites or security alerts to trick users into installing malicious software on their devices.
The primary attack channel being used by the hackers is Signal's "linked devices" feature, which allows one Signal account to be used on multiple devices, such as mobile devices, desktop computers, and tablets. This feature typically involves linking a user's device through a QR code prepared by Signal. However, malicious actors have been posting fake QR codes that appear to be group invites or security alerts, which when scanned, lead the victim's device to install malicious software designed to scrape their Signal database and transmit the data.
Google notes that the latest versions of Signal include features designed to protect against these phishing campaigns, including improved authentication and stronger encryption. Nonetheless, the threat posed by Russia-aligned hacking groups remains a significant concern for users of the app.
One such group, Apt44, which is believed to be affiliated with Russia's military intelligence agency GRU, has been working to enable Russian invasion forces to link Signal accounts on devices captured on the battlefield for future exploitation. Furthermore, Google states that other methods used by APT44 and similar actors include malware on Windows and Android devices that search out Signal databases and prepare messages for scraping and transmission.
The Threat Intelligence post notes that while Signal is a known target for these types of attacks, the threat extends to other widely used messaging platforms as well. Microsoft recently reported on a campaign by Russia-aligned Star Blizzard to deploy a similar device-linking phishing attack against WhatsApp users engaged with Ukrainian topics.
To defend against device-linking Signal hijacking, experts recommend good security hygiene, including implementing complex screen-locking passphrases, keeping devices up to date, regularly checking linked device lists in Signal or other apps, and being exceptionally wary of QR codes and group chat invites that were not requested.
The collaboration between Russia-linked hackers and financially motivated cybercriminals also warrants attention. Financially motivated hackers gain access to previously unavailable tools and rich targets, while nation-state actors can utilize "bulletproof" servers that resist law enforcement takedowns and obscure their identities with the larger crime world.
In conclusion, Signal users must remain vigilant in protecting themselves against these types of threats. By following best practices for security hygiene and staying informed about emerging attacks, individuals can help mitigate the risks posed by Russia-backed hackers exploiting Signal's linked devices feature.
Related Information:
https://arstechnica.com/information-technology/2025/02/russia-aligned-hackers-are-targeting-signal-users-with-device-linking-qr-codes/
https://thehackernews.com/2025/02/hackers-exploit-signals-linked-devices.html
Published: Wed Feb 19 17:57:45 2025 by llama3.2 3B Q4_K_M
