Spyware Investigator Reveals Russian Government Hackers Trying to Take Over Signal Accounts

Earlier this year, Donncha Ó Cearbhaill, a security researcher investigating spyware attacks, found himself in an unusual position. Only once did he become the target of a hacker.

The message I received on my Signal account said, “Dear User, this is the Signal Security Support Chatbot. We have detected suspicious activity on your device that may lead to a data breach.”

“We also detected an attempt to access your personal data in Signal,” the message says.

“To prevent this, you must enter the verification code into the Signal Security support chatbot and pass the verification step. Do not give the code to anyone, even SIGNAL employees.”

Apparently, Amnesty International’s Security Lab Director Ó Cairbeil quickly realized that this was an “ill-advised” attempt to hack into his Signal account. Rather, I saw it as an opportunity to dive into some unexpected research.

Researchers told TechCrunch that they had “never been intentionally targeted” by a one-click cyberattack or a phishing attack like this before.

“The attack landed in my inbox and the opportunity to turn the tables on the attackers and learn more about the campaign was too good to pass up,” he said.

As it turns out, the attempted attack on Ó Cearbhaill may have been part of a broader hacking campaign targeting a large group of Signal users. The hackers’ strategy was to impersonate Signal, warn about fake security threats, and try to trick targets into giving hackers access to their accounts by linking their accounts to devices controlled by the hackers.

These techniques were exactly the same as those seen in a broader campaign that the U.S. cybersecurity agency CISA, the British cybersecurity agency, and the Dutch intelligence community have all warned about and blamed on Russian government spies. Signal also warns users about phishing attacks. German news magazine Der Spiegel found that Russian hackers were able to compromise several people in the country, including prominent politicians.

In a series of online posts, Mr Ó Cairbeil said he was able to identify himself as one of more than 13,500 targets. Although he did not reveal exactly how he investigated hacking attempts and campaigns to avoid revealing his hand to hackers, he did share some details about what he learned.

First, Ó Cairbeil recognized that other targets included not only colleagues but also journalists with whom he worked. He said he already suspected at the time that this was an opportunistic attack in which the hackers had compromised a target and, thanks to the successful attack, identified new potential victims.

Calling this the “snowball hypothesis,” Ó Caerbeil said he believed he was targeted because he was likely in a group chat with the person who was hacked, giving the hacker an opportunity to find contact information for a new target.

Researchers said they were able to identify a system called “ApocalypseZ” that the hackers were using. The system automates attacks and allows hackers to target many people at once, with limited human oversight.

They also discovered that the codebase and operator interface were in Russian, and that the hackers had translated the victims’ chats into Russian. This is consistent with the hypothesis that this is the same Russian government hacking group behind similar campaigns.

Mr Ó Cairbeil said he was still monitoring the campaign and was seeing attacks continue, which meant the total number of targets was certainly much higher than what he saw earlier this year.

He said he doubts the hacker will target him again and will probably regret going after him in the first place. “We welcome any further messages, especially if you have zero-days you would like to share,” he said, referring to security flaws that vendors don’t yet know about, which are often used in the attacks he investigates.

Carebeil said Signal users should turn on registration lock if they’re worried about being targeted by this type of attack. Registration Lock is a feature that allows users to set a PIN on their account to prevent anyone from registering their phone number on another device.