Russian hackers hijack Signal users via QR codes

Hackers exploit Signal’s linked devices feature to hijack accounts via malicious QR codes

A new report from Google Threat Intelligence Group reveals that hackers have exploited a vulnerability in Signal’s linked devices feature to hijack user accounts using malicious QR codes. According to the report, the attack primarily targets Ukrainian officials and military personnel and is believed to be orchestrated by Russian state-sponsored actors.

How does the attack work?

The attack exploits Signal’s mechanism for connecting new devices to an existing account. Normally, users can scan a QR code to add a new device to their Signal account, making it easy to synchronize conversations across multiple devices. However, hackers have developed a method to trick users into scanning a malicious QR code that instead links the hacker’s device to the victim’s account. As QR code phishing scams become more sophisticated, it's crucial to stay informed about these emerging threats. Learn more about how cybercriminals use QR codes for phishing attacks in our blog post.

Once the attack is successful, the hacker gains full access to the victim’s messages and conversations in real time. In some cases, these attacks have led to surveillance of sensitive communications between Ukrainian officials. Google Threat Intelligence Group identified these attacks as part of a broader campaign aimed at spying on targets in Ukraine and possibly other regions. This isn’t the first time Russian-backed hackers have used quishing tactics—QR code phishing—to target high-profile individuals and organizations. Dive into how the Star Blizzard hacking group has leveraged quishing in their attacks and what it means for cybersecurity.

State-sponsored cyber espionage

According to Google’s report, this type of attack exemplifies how state-sponsored hacker groups increasingly exploit legitimate features in encrypted messaging platforms to bypass security measures. Signal is known for its strong end-to-end encryption, but the attack demonstrates that security also depends on user behavior and vigilance.

Russian hacker groups have previously used similar phishing techniques to access sensitive data, but this attack highlights a shift towards targeting real-time communication rather than simply stealing data. This isn’t the first time Ukraine has been a target of cyberattacks. Recent incidents, like the attack on Ukraine’s largest bank with SmokeLoader malware, highlight the ongoing cyber warfare facing the country. Explore our in-depth analysis to learn more about the persistent threats.

How can users protect themselves?

To guard against such attacks, security experts recommend the following precautions:

• Be wary of QR codes: Never scan QR codes from unknown or suspicious sources, especially in connection with encrypted messaging services.

• Enable a PIN code: Signal offers an extra security feature in the form of a PIN code, preventing unauthorized devices from being linked to an account.

• Check connected devices: Users can manually review and remove unknown or suspicious devices in Signal’s settings.

• Use message verification: Enable verification codes to ensure that you are communicating with the intended recipient and not a compromised device.

A wake-up call for secure messaging users

The attack on Signal’s linked devices feature demonstrates how even the most secure messaging platforms can be targeted by advanced hacker groups. Google Threat Intelligence Group’s discovery underscores the importance of being aware of the risks associated with phishing and QR-based attacks. While Signal continues to improve security, it is crucial for users to take their own precautions to protect their private communications.

At a time when cyberattacks are becoming more sophisticated and targeted, it is more important than ever to be cautious about the links and QR codes one interacts with. Moxso will continue to monitor developments in the cybersecurity landscape and keep you updated on the latest threats and protective measures.