Russia-backed hacking groups have developed techniques to compromise encrypted messaging services, including Signal, WhatsApp and Telegram, placing journalists, politicians and activists of interest to the Russian intelligence service at potential risk.Google Threat Intelligence Group disclosed today that Russia-backed hackers had stepped up attacks on Signal Messenger accounts to access sensitive government and military communications relating to the war in Ukraine.Analysts predict it is only a matter of time before Russia starts deploying hacking techniques against non-military Signal users and users of other encrypted messaging services, including WhatsApp and Telegram.Dan Black, manager of cyber espionage analysis at Google Clouds Mandiant division, said he would be absolutely shocked if he did not see attacks against Signal expand beyond the war in Ukraine and to other encrypted messaging platforms.He said Russia was frequently a first mover in cyber attacks, and that it would only be a matter of time before other countries, such as Iran, China and North Korea, were using exploits to attack the encrypted messages of subjects of intelligence interest.The warning follows disclosures that Russian intelligence created a spoof website for the Davos World Economic Forum in January 2025 to surreptitiously attempt to gain access to WhatsApp accounts used by Ukrainian government officials, diplomats and a former investigative journalist at Bellingcat.Russia-backed hackers are attempting to compromise Signals linked devices capability, which allows Signal users to link their messaging account to multiple devices, including phones and laptops, using a quick response (QR) code.Google threat analysts report that Russia-linked threat actors have developed malicious QR codes that, when scanned, will give the threat actor real-time access to the victims messages without having to compromise the victims phone or computer.In one case, according to Black, a compromised Signal account led Russia to launch an artillery strike against a Ukrainian army brigade, resulting in a number of casualties.Russia-backed groups have been observed disguising malicious codes as invites for Signal group discussions or as legitimate device pairing instructions from the Signal website.In some targeted spear phishing attacks, Russia-linked hackers have also embedded malicious QR codes in phishing websites designed to mimic specialist applications used by victims of the attack.The Russia-linked Sandworm group, also known as APT44, which is linked to the General Staff of the Armed Forces of the Russian Federation, has worked with Russian military forces in Ukraine to compromise Signal accounts on phones and computers captured on the battlefield.Googles Mandiant researchers identified a Russian language website giving instructions to Russian speakers on how to pair Signal or Telegram accounts with infrastructure controlled by APT44.The extrapolation is that this is being provisioned to Russian forces to be able to deploy captured devices on the battlefield and send back the communications to the GRU to be exploited, Black told Computer Weekly.Russia is believed to have fed the intercepted Signal communications back to a data lake to analyse the content of large numbers of Signal communications for battlefield intelligence.The attacks, which are based on exploiting Signals device linking capability, are difficult to detect and when successful there is a high risk that compromised Signal accounts can go unnoticed for a long time.Google has identified another cluster of Russia-backed attackers, known as UNC5792, that has used modified versions of legitimate Signal group invite pages which link the victims Signal account to a device controlled by the hacking group, enabling the group to read and access the targets Signal messages.Other Russia-linked threat actors have developed a Signal phishing kit designed to mimic components of the Kropyva artillery guidance software used by the Ukrainian military. The hacking group, known as UNC4221, previously used malicious web pages designed to mimic legitimate security alerts from Signal.The group has also used a lightweight JavaScript payload, known as Pinpoint, to collect basic user information and geolocation data from web browsers.Google has warned that the combination of access to secure messages and location data of victims are likely to be used to underpin targeted surveillance operations or to support conventional military operations in Ukraine.Google also warned that multiple threat actors have been observed using exploits to steal Signal database files from compromised Android and Windows devices.In 2023, the UKs National Cyber Security Centre and the Security Service of Ukraine warned that the Sandworm hacking group had deployed Android malware, known as Infamous Chisel, to search for messaging applications, including Signal, on Android devices.The malware is able to scan infected devices for WhatsApp messages, Discord messages, geolocation information and other data of interest to Russian intelligence. It is able to identify Signal and other messages and package them in unencrypted form for exfiltration.APT44 operates a lightweight Windows batch script, known as WaveSign, to periodically query signal messages from a victims Signal database and to exfiltrate the most recent messages.Russian threat actor Turla, which has been attributed by the US and the UK to the Russian Federal Security Service, has used a lightweight Powershell script to exfiltrate Signal desktop messages.And in Belarus, an ally of Russia, a hacking group designated as UNC1151 has used a command-line utility, known as Robocopy, to line up the contents of file directories used by Signal desktop to store messages and attachments for later exfiltration.Google has warned that attempts by multiple threat actors to target Signal serve as a warning for the growing threat to secure messaging services and that attacks are certain to intensify in the near-term future.There appears to be a clear and growing demand for offensive cyber capabilities that can be used to monitor the sensitive communications of individuals who rely on secure messaging applications to safeguard their online activity, it said.Users of encrypted communications are not just at risk from phishing and malware attacks, but also from the capability of threat actors to secure access to a targets device for example, by breaking the password.Black said it was insidious that Russian attackers were using a legitimate function in Signal to gain access to confidential communications, rather than compromising victims phones or breaking the encryption of the app.A lot of audiences who are using signal to have sensitive communications need to think about the risk of pairing their device to a second device, he said.Russia-aligned groups have also targeted other widely used messaging platforms, including Signal and Telegram.A Russian hacking group linked to Russias FSB intelligence service, known variously as Coldriver, Seaborgium, Callisto and Star Blizzard, shifted its tactics in late 2024 to launch social engineering attacks on people using WhatsApp encrypted messaging.The group targets MPs, people involved in governments or diplomacy, research and defence policy, and organisations or individuals supporting Ukraine.As exposed by Computer Weekly in 2022, Star Blizzard previously hacked, compromised and leaked emails and documents belonging to a former head of MI6, alongside other members of a secretive right-wing network devoted to campaigning for an extreme hard Brexit.Scottish National Party MP Stewart McDonald was another victim of the group. Left wing Freelance journalist Paul Mason, who has frequently criticised Putins war against Ukraine, was also targeted by the group and his emails leaked to the Greyzone, a pro-Russian publication in the US.Academics from the universities of Bristol, Cambridge and Edinburgh, including the late Ross Anderson, professor of security engineering, first published researched in 2023 warning that the desktop versions of Signal and WhatsApp could be compromised if accessed by a border guard or an intimate partner, enabling them to read all future messages.Signal has taken steps to improve the security of its pairing function to alert users to possible attempts to gain access to their accounts through social engineering tactics, following Googles findings.Josh Lund, senior technologist at Signal, said the organisation had introduced a number of updates to mitigate potential social engineering and phishing attacks before it was approached by Google.Google Threat Intelligence Group provided us with additional information, and we introduced further improvements based on their feedback. We are grateful for their help and close collaboration, he told Computer Weekly.Signal has since made further improvements, including overhauling the interface to provide additional alerts when someone links a new device.It has also introduced additional authentication steps to prevent anyone other than the owner of the primary device from adding a new linked device.When any new device is linked to a Signal account, the primary device will automatically receive a notification, allowing users to quickly review and remove any unknown or unwanted linked devices.Dan Black advised people the Signal app to think carefully before accepting links to group chats.If its a contact you know, just create the group yourself directly. Dont use external links to do things that you can do directly using the messaging applications features, he said.Read more about Russian attacks on Signal on Dan Blacks blog post.Countermeasures to protect encrypted communicationsEnable screen lock on all mobile devices using a long, complex password with a mix of uppercase and lowercase letters, numbers, and symbols.Install operating system updates as soon as possible and always use the latest version of Signal and other messaging apps.Ensure Google Play Protect is enabled. Google Play Protect checks apps and devices for harmful behavior and can warn users or block known malicious apps.Audit linked devices regularly for unauthorised devices by navigating to the "Linked devices" section in the applications settings.Exercise caution when interacting with QR codes and web resources purporting to be software updates, group invites, or other notifications that appear legitimate and urge immediate action.If available, use two-factor authentication such as fingerprint, facial recognition, a security key, or a one-time code to verify when your account is logged into or linked to a new device.iPhone users concerned about targeted surveillance or espionage activity should consider enabling Lockdown Mode to reduce their attack surface.Source: Google Threat Intelligence Group