Russia-aligned threat groups dupe Ukrainian targets via Signal | CyberScoop<\/title> <meta name=\"description\" content=\"Google researchers say multiple Russian state threat groups have conducted remote phishing operations to target and compromise Signal accounts.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/russia-threat-groups-target-ukraine-signal\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Russia-aligned threat groups dupe Ukrainian targets via Signal\"> <meta property=\"og:description\" content=\"Google researchers say multiple Russian state threat groups have conducted remote phishing operations to target and compromise Signal accounts.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/russia-threat-groups-target-ukraine-signal\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-02-19T21:20:40+00:00\"> <meta property=\"article:modified_time\" content=\"2025-02-19T21:20:43+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1267\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1739294329g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1739821441g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1739308213g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=5e4722b3d0055288d011\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83541\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83541\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Frussia-threat-groups-target-ukraine-signal%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Frussia-threat-groups-target-ukraine-signal%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83541 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/russia-threat-groups-target-ukraine-signal\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.783783783784\">\n<div class=\"single-article__header-content\" readability=\"34.47\">\n<p> Google researchers say multiple Russian state threat groups have conducted remote phishing operations to target and compromise Signal accounts. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83541\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"422\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal.jpg?resize=640%2C422&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=300,198 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=768,507 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=1024,676 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=1536,1014 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=600,396 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=255,168 255w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=511,337 511w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=1023,675 1023w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-2.jpg?resize=1277,843 1277w\" sizes=\"(max-width: 1023px) 100vw, 1023px\"><figcaption> Russian soldiers stand on Red Square in central Moscow on September 29, 2022, as the square is sealed prior to a ceremony of the incorporation of the new territories into Russia. (Photo by ALEXANDER NEMENOV\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.713182897862\"><body readability=\"82.724230254351\"><\/p>\n<p>Russian state threat groups have compromised Signal accounts used by Ukrainian military and government personnel to eavesdrop on real-time communications, Google Threat Intelligence Group said in a <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/russia-targeting-signal-messenger\">report<\/a> released Wednesday.<\/p>\n<p>\u201cThis is a persistent, ongoing campaign being carried out by multiple different Russia-aligned threat actors,\u201d Dan Black, principal analyst at Google Threat Intelligence Group, said in an email to CyberScoop.<\/p>\n<p>Researchers observed three threat groups escalating efforts to compromise Signal accounts, likely to gain access to sensitive information of interest to Russia\u2019s intelligence services, including intelligence on the country\u2019s invasion of Ukraine. Some of the ongoing efforts date back to 2023.<\/p>\n<p>Government officials, political figures and vulnerable populations have turned to Signal and other encrypted messaging apps to reduce the risk of cybercriminals snooping on communications. Federal cyber authorities in December <a href=\"https:\/\/cyberscoop.com\/cisa-mobile-security-best-practices-salt-typhoon\/\">encouraged the use of Signal and other encrypted message apps<\/a> in the wake of <a href=\"https:\/\/cyberscoop.com\/salt-typhoon-telecom-breach-remarkable-for-its-indiscriminate-targeting-fbi-official-says\/\">Salt Typhoon\u2019s spree of attacks<\/a> on U.S. and global telecom networks.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Threat groups\u2019 growing efforts to target Signal and other secure messaging applications puts the outlook for these platforms \u2014 alternatives to less secure forms of communication \u2014 at elevated risk.<\/p>\n<p>\u201cTargeting tends to scale with popularity,\u201d Black said. \u201cThe more society adopts these secure messaging apps for day-to-day use, the more we are likely to see them targeted by other threat actors across espionage and financial motives.\u201d<\/p>\n<p>The volume of tactics and Russia-aligned threat groups targeting end-to-end encrypted messaging apps is steadily increasing, Black said.<\/p>\n<p>The most widely used technique observed by Google threat intelligence involves abuse of Signal\u2019s linked devices feature, which allows users to access the app on multiple devices concurrently. Threat groups have crafted and tricked Ukrainian military and government personnel into scanning malicious QR codes that link the victim\u2019s account to a threat group-controlled Signal account.<\/p>\n<p>Remote phishing operations \u2014 including malicious QR codes, altered legitimate group invites, security alerts and other device-pairing instructions \u2014 have provided Russian threat groups a persistent means to surveil conversations in real time.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>About half of the activity observed by Google Threat Intelligence Group was post-compromise, according to a researcher with the group.<\/p>\n<p>Sandworm, a threat group Google tracks as APT44 that operates on behalf of the Russian Main Military Intelligence Unit 74455 (GRU), has also enabled Russian military forces to link Signal accounts on devices captured on the battlefield to infrastructure controlled by the threat group for follow-on exploitation, the report said. <\/p>\n<p>Google linked two other suspected Russian threat groups \u2014 UNC5792 and UNC4221 \u2014 to active targeting of Signal accounts.<\/p>\n<p>Google Threat Intelligence Group said it investigated the malicious activity with Signal, which pushed security updates to its Android and iOS apps to help bolster accounts against similar phishing techniques in the future. <\/p>\n<p>Signal did not respond to a request for comment.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Researchers warn the threat isn\u2019t limited to Signal, but extends to other messaging platforms, including WhatsApp and Telegram.<\/p>\n<p>\u201cThis latest activity is yet another example of the lengths threat actors will go through to find novel methods to compromise sensitive, encrypted communications,\u201d Black said. \u201cThe good news though is these encrypted messaging apps present a substantial challenge for all threat actors \u2014 even those backed by the GRU \u2014 to collect these signals at scale.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7689873417722\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/russia-threat-groups-target-ukraine-signal\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Russia-aligned threat groups dupe Ukrainian targets via Signal | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,3729,466,3730,60,256,270,880,3365,288,1],"tags":[286,86,3731,470,3732,67,262,276,881,3369,294,325],"class_list":["post-7368","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-google-threat-intelligence-group","category-gru","category-messaging-apps","category-phishing","category-research","category-russia","category-sandworm","category-signal","category-threats","category-uncategorized","tag-cybercrime","tag-cybersecurity","tag-google-threat-intelligence-group","tag-gru","tag-messaging-apps","tag-phishing","tag-research","tag-russia","tag-sandworm","tag-signal","tag-threats","tag-uncategorized"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-threat-intelligence-group\/\" rel=\"category tag\">Google Threat Intelligence Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/gru\/\" rel=\"category tag\">GRU<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/messaging-apps\/\" rel=\"category tag\">messaging apps<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sandworm\/\" rel=\"category tag\">Sandworm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/signal\/\" rel=\"category tag\">signal<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7368"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7368\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7368,"date":"2025-02-19T15:20:40","date_gmt":"2025-02-19T21:20:40","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83541"},"modified":"2025-02-19T15:20:40","modified_gmt":"2025-02-19T21:20:40","slug":"russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/19\/russia-aligned-threat-groups-dupe-ukrainian-targets-via-signal\/","title":{"rendered":"Russia-aligned threat groups dupe Ukrainian targets via Signal"},"content":{"rendered":"