Numerous Russian state-backed advanced persistent threat groups have been targeting the encrypted messaging app Signal's "linked devices" feature to circumvent the app's end-to-end encryption capabilities and facilitate cyberespionage efforts, according to SecurityWeek.
Malicious device-linking QR codes have not only been added to phishing pages or spread via group invite links but also leveraged in close-access attacks, as conducted by the Sandworm operation, a report from Mandiant revealed. Intrusions involving a Signal phishing kit spoofing the Ukrainian military's Kropyva app have also been deployed by another Russian threat group to compromise Ukrainian military-owned Signal accounts. Such a phishing kit was discovered to include a JavaScript payload enabling user information and geolocation data compromise, noted the report, which urged the implementation of more stringent security measures among Signal users. "...[T]his threat also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques," said Mandiant researcher Dan Black.
