Russian hackers attack Ukrainian military in Signal

Russian hackers gained access to Ukrainian military accounts on Signal using the “connected devices” feature. Google warns that this tactic could expand to other messengers.

Attackers use two main methods to hack Signal:

– Physical access – connecting accounts to their own devices via phones captured on the front lines.

– Phishing attacks – tricking military personnel into scanning malicious QR codes or opening infected links, which allows them to access new messages in real time.

Cybersecurity experts from the Google Threat Intelligence Group (GTIG) discovered that Russian hackers are using fake Signal pages to distribute malicious QR codes. This allows them to silently connect the victim to a device controlled by the attackers.

Hacker groups APT44 (Sandworm), UNC5792 and UNC4221 create sites that imitate official Signal resources or applications used by the Ukrainian military. Such pages look legitimate, but contain code that hacks accounts.

Signal is one of the most secure messengers used by journalists, politicians, the military and activists. However, the “connected devices” feature has become its vulnerability. Google notes that this method has already been used to attack WhatsApp and Telegram, which indicates a threat to a wide range of users.

Signal remains a secure messenger, but users should be cautious. Google recommends:

• update Signal to the latest version,
• check the list of connected devices,
• do not scan QR codes from unverified sources,
• enable authentication and receive notifications about new connections.