Russian Hackers Target Signal Messenger App

Executive Summary

Russian State sponsored hackers have been targeting the Signal messaging app. The group targets accounts of Ukrainian military personnel and government officials through the “linked devices” feature to intercept communications of Russia’s adversaries. Successful exploits could impact Russia’s war against Ukraine by giving access to battle plans and troop movements. Signal Foundation took steps to increase its security and lessen vulnerabilities.

Background

A man-in-the-middle (MITM) attack happens when an attacker secretly intercepts communication between two parties [2]. The attacker may eavesdrop on conversations between two people, two systems, or a person and a system. The main goal is to steal personal data, passwords, or financial details. Hackers can also manipulate communication to trick victims into taking harmful actions, such as changing credentials or making financial transactions. These attacks are often executed using phishing, fake Wi-Fi networks, or malicious software. MITM attacks pose a serious cybersecurity risk by compromising sensitive information without the victim’s knowledge. Protecting against MITM attacks requires strong encryption, secure connections, and user awareness to prevent unauthorized interception of data.

Google’s threat intelligence team recently released a report which showed that some Russian backed hackers, UNC5792, UNC4221, and Sandworm are targeting Signal [3]. The analysis also discusses efforts made by the Star Blizzard (UNC4057) group to compromise WhatsApp accounts by abusing the linked devices feature [4]. The cyber teams use a phishing technique that creates fake QR codes for Signal group invites. The illegitimate QR codes contain embedded Java Script that allows the hackers to perform MITM attacks by joining the group or adding a rogue device. 

Russia’s military has focused on Signal since 2023 because of its widespread use in the Ukrainian military. Ukrainian state cybersecurity officials warn that Russian hacker groups actively exploit Signal to attack government and defense officials [1].  Russia has recently increased its efforts significantly to gain a tactical advantage within the war. These attacks highlight the critical need for heightened cybersecurity measures, as Russian-backed hackers continue to exploit Signal’s security features to intercept sensitive military and private communications, posing a serious threat to national security and user privacy.

Impact

This attack is a serious cyberwarfare tactic that could jeopardize national security, individual privacy, and trust in encrypted communication tools. Some U.S. Federal workers have been using the Signal messenger app for sometime and have increased the use of it recently due to fears of global surveillance [5]. Governments and tech companies will need to improve security measures and raise awareness to prevent similar incidents.

Mitigation

Mitigation is necessary to prevent unauthorized access, phishing attacks, and surveillance, as cyber threats evolve. There are several ways to secure a signal account. Enabling Registration Lock prevents hackers from registering a Signal account on another device. Regularly checking and removing unknown linked devices can prevent unauthorized access. Avoiding scanning   suspicious QR codes or clicking on unknown app invite links can hinder attackers from hijacking accounts. Updates should be maintained to receive the latest security patches to protect against phishing and device-linking attacks. Using secure, private phone numbers and enabling two-factor authentication (2FA) on related accounts  can provide extra protection. Staying vigilant and implementing these controls can greatly reduce the risk of compromise.

Relevance

Cyber threats are evolving, and encrypted messaging apps like Signal are prime targets. This situation highlights the growing threats to digital privacy, particularly for users in high-risk environments like journalists, activists, and government officials. Signal’s breach underscores the vulnerability of reputable apps. These attacks demonstrate how cybercriminals and state-backed groups can use sophisticated tactics to exploit security gaps and access sensitive information. With privacy and security becoming increasingly important in today’s digital age, users must take extra precautions to protect communications.

References

[1] Antoniuk, D. (2025, February, 19). Russian state hackers spy on Ukrainian military through Signal app.  The Record. https://therecord.media/russian-state-hackers-spy-on-ukraine-military-signal?utm_source=chatgpt.com

[2] Baker, K. (2025, January, 17). What is a Man in the Middle (MITM) Attack? CrowdStrike.  https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/man-in-the-middle-mitm-attack/

[3] Greenberg, A. (2025, February, 19). A Signal Update Fends Off a Phishing Technique Used in Russian Espionage. Wired. https://www.wired.com/story/russia-signal-qr-code-phishing-attack/?utm_source

[4] Phil, E. (2025, February, 19). Russian State Hackers Target Signal to spy on Ukrainians. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/russian-hackers-signal-spy/ 

[5] Torres, M. (2025, February 25). If You’re Worried About Privacy Under Trump, This Is The One App You Should Download Immediately. BuzzFeed. https://www.buzzfeed.com/monicatorres2/signal-privacy-app-trump-musk?open_comments=on