Russian cyberespionage groups target Signal users with fake group invites – Source: www.csoonline.com

Russian advanced persistent threat (APT) groups are increasingly launching phishing attacks aimed at tricking users of the Signal messaging app into giving attacker-controlled devices access to their accounts and the encrypted communications within. The attacks typically masquerade as Signal group chat invites that, in reality, abuse the device linking functionality.

“Signal’s popularity among common targets of surveillance and espionage activity — such as military personnel, politicians, journalists, activists, and other at-risk communities — has positioned the secure messaging application as a high-value target for adversaries seeking to intercept sensitive information that could fulfill a range of different intelligence requirements,” researchers from Google’s Threat Intelligence Group said in a new report.

“More broadly, this threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques.”

While many of the attacks observed so far have primarily focused on Ukraine-related targets, the Google researchers expect other threat groups to adopt similar techniques in the future, especially since other secure messaging apps have similar device-linking features. The Signal team added features in the latest releases to help protect against such attacks, so users are advised to update to the latest version as soon as possible.

Attack on Signal employs device linking as a backdoor

Signal is an open-source messaging application that uses end-to-end encryption (E2EE) for text messages as well as voice and video calls. In fact, the Signal developers are viewed as pioneers in the E2EE space, their Signal cryptographic protocol, which has been independently audited by academic researchers, being adopted by other apps over the years including Meta’s WhatsApp, Google Allo (discontinued), Google Messages, and Microsoft’s Skype (in private conversations mode).

The security audits, the code quality, and the open-source nature of both the app and the protocol have earned Signal the trust of many security researchers, journalists, political activists, politicians, military personnel, and of course, criminal groups. This has made the app a target for oppressive governments, law enforcement agencies, commercial surveillance companies, and intelligence agencies.

The use of end-to-end encryption implies that communications between two devices are encrypted with keys exchanged by the devices directly, meaning messages are always protected from the sender to the recipient even if they pass through central servers that act as relays. This means that a server might know that user A sent a message to user B, but not what the message said.

This makes some features such as group chats or synchronizing chats across multiple devices more difficult to achieve in a fully E2EE implementation because a user’s secondary device is technically another “end” in a multi-peer encrypted communication, but the Signal developers came up with solutions to these problems.

QR codes provide a means of phishing Signal users

These features now work by scanning QR codes that contain the cryptographic information needed to exchange keys between different devices in a group or to authorize a new device to an account. The QR codes are actually representations of special links that the Signal application knows how to process via the sgnl:// URI protocol handler.

Since attackers know that users might be used to scanning QR codes or clicking on buttons to join group chats, they have devised phishing pages to mimic the same experience but use it to link rogue devices to the victim’s account instead. Rogue device linking provides an easier way for attackers to access Signal messages than trying to remotely compromise an Android or iOS device which would likely require a rare and expensive root-level exploit.

“One suspected Russian espionage cluster tracked as UNC5792 (which partially overlaps with CERT-UA’s UAC-0195) has altered legitimate ‘group invite’ pages, replacing the expected redirection to a Signal group with a redirection to a malicious URL crafted to link an actor-controlled device to the victim’s Signal account,” the Google researchers said.

The phishing page masquerades as the official Signal website with a button called Join Group, but the JavaScript code behind the button redirects the browser window to a sgnl://linkdevice?uuid=[data] link that will be passed to the Signal app which is the registered protocol handler for sgnl:// URIs and will authorize the linking of a new device to the account.

Russian threat group targeting Ukrainian military personnel

Another Russian threat group that Google tracks as UNC4221 and Ukrainian CERT tracks as UAC-0185 is using a Signal phishing kit that mimics components of an artillery guidance application called Kropyva that was developed by the Ukrainian armed forces.

This group is known for targeting Ukrainian military personnel and has used different tactics including Kropyva-themed phishing sites with QR codes supposedly to join Signal groups, phishing pages that mimicked security alerts from Signal itself, or using Signal group invites sent by trusted contacts that were compromised. All of these fake group invites performed rogue device linking instead.

“Notably, as a core component of its Signal targeting, UNC4221 has also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browser’s GeoLocation API,” the Google researchers said. “In general, we expect to see secure messages and location data to frequently feature as joint targets in future operations of this nature, particularly in the context of targeted surveillance operations or support to conventional military operations.”

The researchers also noted efforts by Russian troops to link Signal accounts from devices captured on the battlefield to devices controlled by APT44, or Sandworm, a cyber team attributed to the Russian military intelligence service, the GRU. APT44 was also seen in the past deploying a Windows batch script dubbed WAVESIGN designed to collect and exfiltrate messages from the Signal Desktop app on compromised Windows computers.

Targeting desktop versions of Signal

Signal is primarily used as a mobile app and account creation requires a mobile phone number, even if since last year users can hide their phone numbers behind unique usernames to avoid having to share them with new contacts. But Signal also has a desktop version for Windows, macOS, and Linux as many users choose to use their computers as secondary devices linked to their accounts.

Until recently, linking a Windows or macOS computer to a Signal account did not transfer the chat history to the new device, but would allow any future messages to be received on both the desktop and mobile devices, creating message histories on both. This made desktop computers a target for Signal message collection.

In addition to APT44’s WAVESIGN script, the Google researchers noted Turla’s use of a PowerShell script to extract Signal Desktop messages. Turla is a cyberespionage team attributed to the Russian Federal Security Service, the FSB. A Belarus-linked threat actor tracked as UNC1151 was also observed using a command-line utility called Robocopy to exfiltrate Signal messages from Windows computers.

The threat of such attacks is even greater now since Signal recently introduced the ability to synchronize chat history for the past 45 days between old and newly linked devices.

“The operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the near-term future,” the Google researchers said.

“When placed in a wider context with other trends in the threat landscape, such as the growing commercial spyware industry and the surge of mobile malware variants being leveraged in active conflict zones, there appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity.”

The Google report contains indicators of compromise for the observed campaigns as well as recommendations for users to protect their devices. Aside from installing security updates regularly and protecting their devices with long and complex passwords, users should regularly review the list of linked and authorized devices for their messaging apps and exercise caution when scanning QR codes shared under the guise of group invites or other required urgent actions.