Russian-aligned threat actors are increasingly targeting individuals via the privacy-focused messaging app Signal to gain unauthorized account access. The technique they use primarily involves abusing Signal's 'linked devices' feature, allowing them to synchronize victim accounts with actor-controlled instances. This enables real-time eavesdropping on conversations. The attackers deploy malicious QR codes disguised as group invites or security alerts, sometimes embedded in phishing pages related to military applications. Notable threat actors identified include UNC5792 and UNC4221, who have specifically targeted Ukrainian military personnel using sophisticated phishing tactics.
These QR codes are known to masquerade as group invites, security alerts, or legitimate device pairing instructions from the Signal website.
The most novel and widely used technique underpinning Russian-aligned attempts to compromise Signal accounts is the abuse of the app's legitimate 'linked devices' feature.
Collection
[
|
...
]