Russian state hackers spy on Ukrainian military through Signal app

Russian state-backed hackers are increasingly targeting Signal messenger accounts — including those used by Ukrainian military personnel and government officials — in an effort to access sensitive information that could aid Moscow’s war effort, researchers warn.

Google’s security team said in a report on Wednesday that Signal’s popularity among military personnel, politicians, journalists and activists has made it a prime target for espionage operations. However, other messaging apps, such as WhatsApp and Telegram, have also been targeted by pro-Russian hackers for similar purposes.

Ukrainian state cybersecurity officials have previously warned that Russian hacker groups actively exploit Signal to attack government and defense officials. In these attacks, hackers typically use phishing messages to infect targeted devices with spying malware.

Google has observed similar techniques used by Russian threat actors in attacks on Ukrainian Signal users.

The most novel and widely used technique, according to Google, involves abusing Signal’s legitimate “linked devices” feature, which allows the app to be used on multiple devices simultaneously.

In these operations, hackers craft malicious QR codes required to link an additional device. When scanned, the code links a victim's account to one controlled by the attacker, allowing future messages to be delivered in real time to both the victim and the threat actor.

Russian hackers typically distribute these malicious QR codes remotely, disguising them as legitimate Signal group invites or security alerts, or embedding them in phishing pages that imitate websites used by the Ukrainian military.

However, Google has also discovered a campaign in which the notorious Russian threat actor Sandworm assisted Russian military forces in linking Signal accounts from captured battlefield devices to their own systems for further exploitation.

Another Russian threat actor, tracked as UNC4221, developed a tailored Signal phishing kit that mimics the Kropyva application used by the Ukrainian armed forces for artillery guidance. According to Google, in these attacks, UNC4221 also deployed a JavaScript payload, known as Pinpoint, to collect basic user information and geolocation data.

“We expect secure messages and location data to frequently feature as joint targets in future operations of this nature, particularly in the context of targeted surveillance operations or support for conventional military operations,” the researchers said.

In addition to linking hacker-controlled devices to victims’ Signal accounts, multiple well-established regional threat actors have also been stealing Signal database files from Android and Windows devices.

Sandworm, for example, deployed Wavesign malware to exfiltrate messages from a victim’s Signal database. Another Russian threat actor, Turla, has used a PowerShell script to exfiltrate Signal desktop messages.

Google said that while these recent attacks were likely driven by wartime demands to access sensitive government and military communications in the context of Russia’s invasion of Ukraine, researchers expect attacks on Signal to grow and spread to additional threat actors and regions.

“There appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity,” researchers added.

Google noted that Signal is assisting in investigating malicious activity targeting its users. The latest Signal releases for Android and iOS, for example, contain enhanced security features designed to help protect against similar phishing campaigns in the future, researchers said.