Russia-backed hacking groups have developed techniques to compromise encrypted messaging services, including Signal, WhatsApp and Telegram, placing journalists, politicians and activists of interest to the Russian intelligence service at potential risk.
Google Threat Intelligence Group disclosed today that Russia-backed hackers had stepped up attacks on Signal Messenger accounts to access sensitive government and military communications relating to the war in Ukraine.
Analysts predict it is only a matter of time before Russia starts deploying hacking techniques against non-military Signal users and users of other encrypted messaging services, including WhatsApp and Telegram.
Dan Black, manager of cyber espionage analysis at Google Cloud’s Mandiant division, said he would be “absolutely shocked” if he did not see attacks against Signal expand beyond the war in Ukraine and to other encrypted messaging platforms.
He said Russia was frequently a “first mover” in cyber attacks, and that it would only be a matter of time before other countries, such as Iran, China and North Korea, were using exploits to attack the encrypted messages of subjects of intelligence interest.
The warning follows disclosures that Russian intelligence created a spoof website for the Davos World Economic Forum in January 2025 to surreptitiously attempt to gain access to WhatsApp accounts used by Ukrainian government officials, diplomats and a former investigative journalist at Bellingcat.
Linked devices targeted
Russia-backed hackers are attempting to compromise Signal’s “linked devices” capability, which allows Signal users to link their messaging account to multiple devices, including phones and laptops, using a quick response (QR) code.
Google threat analysts report that Russia-linked threat actors have developed malicious QR codes that, when scanned, will give the threat actor real-time access to the victim’s messages without having to compromise the victim’s phone or computer.
In one case, according to Black, a compromised Signal account led Russia to launch an artillery strike against a Ukrainian army brigade, resulting in a number of casualties.
Russia-backed groups have been observed disguising malicious codes as invites for Signal group discussions or as legitimate device pairing instructions from the Signal website.
In some targeted spear phishing attacks, Russia-linked hackers have also embedded malicious QR codes in phishing websites designed to mimic specialist applications used by victims of the attack.
Russia-compromised Signal found on battlefield phones
The Russia-linked Sandworm group, also known as APT44, which is linked to the General Staff of the Armed Forces of the Russian Federation, has worked with Russian military forces in Ukraine to compromise Signal accounts on phones and computers captured on the battlefield.
Google’s Mandiant researchers identified a Russian language website giving instructions to Russian speakers on how to pair Signal or Telegram accounts with infrastructure controlled by APT44.
“The extrapolation is that this is being provisioned to Russian forces to be able to deploy captured devices on the battlefield and send back the communications to the GRU to be exploited,” Black told Computer Weekly.
Russia is believed to have fed the intercepted Signal communications back to a “data lake” to analyse the content of large numbers of Signal communications for battlefield intelligence.
Compromise likely to go undetected
The attacks, which are based on exploiting Signal’s device linking capability, are difficult to detect and when successful there is a high risk that compromised Signal accounts can go unnoticed for a long time.
Google has identified another cluster of Russia-backed attackers, known as UNC5792, that has used modified versions of legitimate Signal group invite pages which link the victim’s Signal account to a device controlled by the hacking group, enabling the group to read and access the target’s Signal messages.
Other Russia-linked threat actors have developed a Signal “phishing kit” designed to mimic components of the Kropyva artillery guidance software used by the Ukrainian military. The hacking group, known as UNC4221, previously used malicious web pages designed to mimic legitimate security alerts from Signal.
The group has also used a lightweight JavaScript payload, known as Pinpoint, to collect basic user information and geolocation data from web browsers.
Google has warned that the combination of access to secure messages and location data of victims are likely to be used to underpin targeted surveillance operations or to support conventional military operations in Ukraine.
Signal databases attacked on Android
Google also warned that multiple threat actors have been observed using exploits to steal Signal database files from compromised Android and Windows devices.
In 2023, the UK’s National Cyber Security Centre and the Security Service of Ukraine warned that the Sandworm hacking group had deployed Android malware, known as Infamous Chisel, to search for messaging applications, including Signal, on Android devices.
The malware is able to scan infected devices for WhatsApp messages, Discord messages, geolocation information and other data of interest to Russian intelligence. It is able to identify Signal and other messages and “package them” in unencrypted form for exfiltration.
APT44 operates a lightweight Windows batch script, known as WaveSign, to periodically query signal messages from a victim’s Signal database and to exfiltrate the most recent messages.
Russian threat actor Turla, which has been attributed by the US and the UK to the Russian Federal Security Service, has used a lightweight Powershell script to exfiltrate Signal desktop messages.
And in Belarus, an ally of Russia, a hacking group designated as UNC1151 has used a command-line utility, known as Robocopy, to line up the contents of file directories used by Signal desktop to store messages and attachments for later exfiltration.
Encrypted messaging services under threat
Google has warned that attempts by multiple threat actors to target Signal serve as a warning for the growing threat to secure messaging services and that attacks are certain to intensify in the near-term future.
“There appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity,” it said.
Attacks exploit ‘legitimate function’
Users of encrypted communications are not just at risk from phishing and malware attacks, but also from the capability of threat actors to secure access to a target’s device – for example, by breaking the password.
Black said it was insidious that Russian attackers were using a “legitimate function” in Signal to gain access to confidential communications, rather than compromising victims’ phones or breaking the encryption of the app.
“A lot of audiences who are using signal to have sensitive communications need to think about the risk of pairing their device to a second device,” he said.
Signal and Telegram targeted
Russia-aligned groups have also targeted other widely used messaging platforms, including Signal and Telegram.
A Russian hacking group linked to Russia’s FSB intelligence service, known variously as Coldriver, Seaborgium, Callisto and Star Blizzard, shifted its tactics in late 2024 to launch social engineering attacks on people using WhatsApp encrypted messaging.
The group targets MPs, people involved in governments or diplomacy, research and defence policy, and organisations or individuals supporting Ukraine.
As exposed by Computer Weekly in 2022, Star Blizzard previously hacked, compromised and leaked emails and documents belonging to a former head of MI6, alongside other members of a secretive right-wing network devoted to campaigning for an extreme hard Brexit.
Scottish National Party MP Stewart McDonald was another victim of the group. Left wing Freelance journalist Paul Mason, who has frequently criticised Putin’s war against Ukraine, was also targeted by the group and his emails leaked to the Greyzone, a pro-Russian publication in the US.
Academics from the universities of Bristol, Cambridge and Edinburgh, including the late Ross Anderson, professor of security engineering, first published researched in 2023 warning that the desktop versions of Signal and WhatsApp could be compromised if accessed by a border guard or an intimate partner, enabling them to read all future messages.
Signal hardens security
Signal has taken steps to improve the security of its pairing function to alert users to possible attempts to gain access to their accounts through social engineering tactics, following Google’s findings.
Josh Lund, senior technologist at Signal, said the organisation had introduced a number of updates to mitigate potential social engineering and phishing attacks before it was approached by Google.
“Google Threat Intelligence Group provided us with additional information, and we introduced further improvements based on their feedback. We are grateful for their help and close collaboration,” he told Computer Weekly.
Signal has since made further improvements, including overhauling the interface to provide additional alerts when someone links a new device.
It has also introduced additional authentication steps to prevent anyone other than the owner of the primary device from adding a new linked device. When any new device is linked to a Signal account, the primary device will automatically receive a notification, allowing users to quickly review and remove any unknown or unwanted linked devices.
Dan Black advised people the Signal app to think carefully before accepting links to group chats.
“If it’s a contact you know, just create the group yourself directly. Don’t use external links to do things that you can do directly using the messaging application’s features,” he said.
Read more about Russian attacks on Signal on Dan Black’s blog post.
