Google has alerted users about a phishing tactic employed by Russian hackers targeting Ukrainian soldiers using the encrypted messaging app Signal. This technique involves deceiving users with fake QR codes that, when scanned, link their devices to those controlled by the attackers, allowing the hackers to intercept and read all messages.
For over a decade, Ukraine has been a proving ground for Russian cyberwarfare tactics. Now, Google’s threat intelligence team has documented how Russian-affiliated hacker groups have exploited Signal, an app increasingly used for secure communications by the Ukrainian military. These groups, identified as UNC5792 and UNC4221, send phishing messages disguised as Signal group invites through various channels, ultimately leading victims to scan fake QR codes. Instead of joining a group, the QR code links the user’s device to an eavesdropper, effectively hijacking their conversations in real time.
Dan Black, a cyberespionage researcher at Google, explained that the deception is sophisticated—it mimics a legitimate group invite while linking the device out to the attacker. Google began warning the Signal Foundation about these tactics two months prior, resulting in Signal rolling out an update that requires additional authentication when linking new devices and alerts users about new connections at random intervals.
Signal’s senior technologist, Josh Lund, noted that Google’s warnings were instrumental in fast-tracking these protective measures. While the encryption itself remains intact, the phishing technique exploits legitimate app features to trick users.
The hackers’ focus on Signal stems from its critical role in military communications. For instance, one group used deceptive QR codes to impersonate invites to military-related group chats. Google highlighted that this technique is not isolated to Ukraine; it poses a global risk to dissidents and activists utilizing Signal for secure communication.
The evolving cyber threats mark a shift from previous disruptive attacks to more targeted espionage, as evidenced by the tactics employed by Russian hacker groups like Sandworm and Turla, which have previously surveilled Ukrainian military communications. As cyber vulnerabilities grow, experts warn that the lessons learned in Ukraine might have broader implications, extending to a variety of global targets.
For further reading, you can explore the following links:
