Russia has been targeting the Signal messenger app.

Russian intelligence services targeting Signal messenger

Russian actors associated with the GRU, Russia’s military intelligence organisation, have been using a variety of phishing techniques to gain access to the Signal messenger accounts of personnel in the Armed Forces of Ukraine (AFU), amongst others, according to a threat intelligence report published by Google’s Threat Intelligence Group (GTIG) on the 19th of February. 

The group notes that Russia has likely increased its efforts to compromise Signal in light of the application’s use by Ukraine to coordinate and communicate at all levels, but that the tools and techniques used have wider applicability. 

Malicious codes

An image of a malicious attempt to link Signal to a threat actor device.

Phishing page crafted to appear as a Signal security alert hosted on UNC4221-controlled domain signal-protect[.]host. Credit: Google Threat Intelligence Team.

One technique used by the Russian cyber groups is to use Signal’s device linking capability. For those unfamiliar with the app, it is relatively straightforward to link the Signal app on your phone with a laptop or other device. Signal generates a QR code on the new device that you scan with your phone, linking the two. The identified actors have generated malicious QR codes that will legitimately link the new device to a phone, as well as the threat actor’s device. All messages sent after that point would be duplicated on the legitimate laptop as well as the hostile one. 

Russian groups have approached delivery of these codes in a number of ways; in some cases the QR codes have been masked as legitimate resources from Signal. Group invites, security alerts, or pairing requests. In others, they have deliberately embedded malicious QR codes in phishing pages designed to mimic those of special applications used by Ukraine. 

More sinisterly, the Sandworm group, which is known by the designation of APT44 (advanced persistent threat) and is widely accepted to be an element within the GRU, has worked with frontline Russian forces to link captured AFU devices back to Russian infrastructure for exploitation. GTIG notes that this concept of operations provided: 

“A low-signature form of initial access due to the lack of centralized, technology-driven detections and defenses that can be used to monitor for account compromise via newly linked devices; when successful, there is a high risk that a compromise can go unnoticed for extended periods of time.”

Targeting fire control

A malicious Signal link to a Kropyva webpage.

UNC4221 phishing page mimicking the networking component of Kropyva hosted at “teneta.add-group[.]site”. The page invites the user to “Sign in to Signal” (Ukrainian: “Авторизуватись у Signal”), which in turn displays a QR code linked to an UNC4221-controlled Signal instance. Credit: Google Threat Intelligence Team

In 2014 and 2015 as Ukraine’s forces resisted the strain of Russia’s first invasion, the AFU began to use a new app to coordinate artillery fire. It was developed in 2013 by a Ukrainian officer called Yaroslav Sherstuk, who proudly told local media outlets that it was used by as many as 9,000 Ukrainian soldiers. The app sped up the process of generating firing coordinates for the old D-30 towed howitzers used by the AFU at the time. However, it was later revealed that the Russian group known as Fancy Bear (APT28) had developed a malicious version of the app, which was also downloaded by Ukrainian soldiers and used to track their movements. In some cases, it appears that the batteries were engaged with the help of this malware. 

It now seems that the Russians have tried a similar approach with Kropyva, the software tool now used by Ukraine to coordinate and manage its artillery fire missions. The group known as UNC4221 has developed Signal phishing kit designed to mimic elements of Kropyva, according to the GTIG report. The group used several means to gain access to user devices from creating fake websites masquerading as Kropyva with device linking codes built into them, phishing pages designed to look like Signal security alerts, and phishing pages linked to other phishing infrastructure with device linking codes. 

“Notably, as a core component of its Signal targeting, UNC4221 has also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browser’s GeoLocation API,” the GTIG report states. It adds that this is expected to be a core feature of future targeting of military devices and targeted surveillance. 

The report further notes that these activities, and the others that it covers, appear to be a part of a growing demand for offensive cyber capabilities that can be used to target secure messaging apps. 

Calibre comment 

Personal electronic devices have long been a concern for militaries deploying to operations. At a base level, the signals can be tracked and monitored, as also happened to Ukrainian troops in 2015 through Russia’s Leer-3 electronic warfare system. The signals emitted by a phone can be used to monitor the user’s location with a relatively high degree of accuracy and with a few hours’ latency. Moreover, phones represent an operational security concern. Analysts monitoring Russia’s force build up in the months before the invasion in 2022, were able to tell a lot about their movements from unapproved posts on social media accounts. The presence of Russian soldiers in Belarus was even confirmed through dating apps like Tinder. The costs of poor operational security at the frontlines appear to be known to the Russians and Ukrainians; there are many images of phones nailed to trees, emphasising the need for strict emissions control. However, this latest report from Google indicates that devices far from the frontline are also at risk, and potentially more valuable to an intelligence organisation than those of soldiers coordinating tactical fire missions. 

editor's pick

Sign Up for Updates!

Get insider news, tips, and updates. No spam, just the good stuff!

you might also like