Russia-backed hackers have found ways to breach encrypted messaging apps like Signal, WhatsApp, and Telegram, putting journalists, politicians, and activists at risk. Google’s Threat Intelligence Group reported a surge in attacks targeting Signal Messenger accounts to tap into sensitive communications related to the war in Ukraine.
Analysts warn it’s only a matter of time before these tactics extend beyond military targets to civilians using encrypted messaging services. Dan Black from Google Cloud’s Mandiant division expressed concern, stating he’d be surprised if attacks on Signal didn’t broaden to include other platforms soon. He noted that Russia often leads in cyber attacks, implying that other nations like Iran, China, and North Korea may follow suit.
This alert comes amid revelations that Russian intelligence set up a fake website for the Davos World Economic Forum in January 2025, aiming to infiltrate WhatsApp accounts of Ukrainian officials, diplomats, and journalists.
Russia’s hackers are focusing on Signal’s “linked devices” feature, which lets users connect their accounts to multiple devices via QR codes. Google’s findings show that these hackers have created malicious QR codes that grant them live access to a victim’s messages without needing to compromise their devices directly. In one instance, a compromised Signal account reportedly led to a deadly artillery strike against a Ukrainian brigade.
The attackers have been disguising malicious content as legitimate Signal group invitations or instructions for device pairing. In targeted phishing attacks, they’ve used fake websites imitating legitimate applications to embed these harmful QR codes.
The Sandworm group, tied to Russian military intelligence, has been capturing battlefield phones to gain access to Signal accounts. Google researchers identified a Russian language site providing instructions for pairing Signal or Telegram accounts with systems controlled by this group. This suggests a deliberate effort to use captured mobile devices to transmit intelligence back to the Russian military.
Once compromised, these accounts might remain unnoticed for long periods. Google has spotted another group, UNC5792, using altered genuine Signal invite pages to link victims’ accounts to devices the hackers control, allowing them to read private messages. Other hackers have created a “phishing kit” designed to mimic known warning alerts from Signal, collecting information and location data from victims.
Google noted that threats against Signal extend to database compromises as well. In 2023, the UK’s National Cyber Security Centre warned that Sandworm had deployed malware, Infamous Chisel, capable of scanning Android devices for Signal and other messaging apps, packaging that data for exfiltration.
APT44 uses scripts to regularly query Signal databases and extract recent messages. Turla, another Russian hacking group, employs Powershell scripts for similar exfiltration of desktop messages, while a Belarusian group, UNC1151, has used command-line utilities to harvest message directories.
Google has raised alarms about the persistent threats to secure messaging services and anticipates an increase in such attacks. They emphasize the rising demand for cyber capabilities that monitor sensitive communications among users of these apps.
Attackers not only utilize phishing but can also gain access through legitimate functions, such as breaking passwords. Black pointed out how concerning it is that they exploit Signal’s features instead of trying to break the app’s encryption.
Beyond Signal, Russian hacking groups have shifted their tactics against other messaging platforms like WhatsApp and Telegram. A group connected to Russia’s FSB has ramped up social engineering attacks targeting MPs and individuals involved in Ukraine’s support.
In response to these threats, Signal has enhanced its security measures. Josh Lund, a senior technologist at Signal, noted that updates have been made to alert users about potential unauthorized access attempts. They’ve revamped their interface to emphasize new device link alerts and added extra authentication steps for linking devices. When a new device is connected, the primary device immediately notifies the user, enabling swift action against any unauthorized access. Black recommends users create direct groups rather than using external links for invitations, reinforcing the importance of cautious online behavior.