Sandworm
Russian hackers exploit Signal’s "Linked Devices" to hijack accounts via QR phis...
In a chilling revelation, cybersecurity researchers have uncovered a sophisticated espionage campaign orchestrated by Russian state-aligned hackers exploiting one of the world’s most trusted encrypted messaging apps: **Signal**. A bombshell report from Google’s Threat Intelligence Group (GTIG) details how Kremlin-backed threat actors weaponized Signal’s “Linked Devices” feature to hijack accounts, monitor private conversations, and steal sensitive data—all without breaking the app’s encryption.
### **QR Code Trap: Phishing in Plain Sight**
The attacks hinge on a deviously simple trick: **malicious QR codes**. Russian operatives, including the notorious Sandworm group (aka APT44), crafted fake invites, security alerts, and even military-grade software updates to dupe victims into scanning these codes. Once scanned, the QR code links the victim’s Signal account to a device controlled by the attacker, granting real-time access to messages, media, and contacts.
_“This is the most novel and widely used technique in Russian-aligned attempts to compromise Signal accounts,”_ GTIG warned. The hackers tailored their approach based on the target:
- **Broad campaigns** used fake Signal group invites or spoofed device-pairing instructions.
- **Targeted attacks** lured victims with phishing pages mimicking specialized tools, such as Ukrainian military software.
In one alarming case, Sandworm exploited devices seized on the **Ukraine battlefield**, syncing soldiers’ Signal accounts to Russian-controlled hardware to intercept battlefield communications.
### **Fake Group Chats, Real Spy Ops**
GTIG exposed a Russian hacking collective, tracked as [UNC5792](https://cert.gov.ua/article/6278735), that created near-perfect replicas of Signal group invite pages. These pages, hosted on attacker-controlled servers, replaced legitimate “join group” links with code forcing victims to link their account to a hacker’s device.
_“The fake invitations were indistinguishable from real ones,”_ researchers noted. When users clicked “accept,” they unknowingly handed over their Signal data to Russian spies. This group has ties to UAC-0195, a threat actor previously caught targeting **WhatsApp** accounts of diplomats and officials.
### **Ukrainian Military in Crosshairs-Kropyva Deception**
Another Russia-linked group, UNC4221 (UAC-0185), targeted Ukrainian soldiers with a custom phishing kit impersonating **Kropyva**—a critical app used by Ukraine’s military for artillery guidance and minefield mapping. Hackers created a fake Signal verification page (*signal-confirm[.]site*) to mask the device-linking scam, while QR codes distributed via phishing emails synced victims’ accounts to Russian servers.
### **How Hackers Cover Their Tracks**
Once linked, attackers used tools like **Infamous Chisel malware**, PowerShell scripts, and the **WAVESIGN batch script** to quietly extract Signal message databases from Android and Windows devices. GTIG warns that these breaches can go undetected for months, as Signal lacks tools to monitor unauthorized linked devices.
_“The risk of prolonged compromise is extremely high,”_ researchers stressed.
### **Global Implications: Beyond Signal**
The report highlights a broader Russian obsession with encrypted messaging apps. The **Coldriver** campaign, for example, recently targeted diplomats via WhatsApp. But Signal’s open-source framework and “Linked Devices” feature made it uniquely vulnerable to this phishing tactic.
### **How to Protect Yourself**
GTIG and Signal urge users to:
1. **Update Signal immediately** (new patches block known phishing methods).
2. **Enable two-factor authentication** (prevents device linking without a PIN).
3. **Audit linked devices** regularly and remove unfamiliar ones.
4. **Never scan suspicious QR codes**—especially from unverified sources.
### **Encryption Isn’t Enough**
This campaign exposes a harsh truth: even the most secure apps can be undermined by human error. As Russian hackers refine their social engineering tactics, the line between digital safety and catastrophe grows thinner. For high-risk users—journalists, soldiers, diplomats—the stakes have never been higher.
