We’ve just learned today that officials within the Trump administration inadvertently shared Yemen strike plans with journalist Jeffrey Goldberg, in what they believed to be a secure chat message group. However, someone had accidentally sent a group invitation to Goldberg’s phone number. As is often the case with data breaches, the technical security of the platform can only do so much when faced with human error.

In January of this year, Microsoft Threat Intelligence reported on the Russian threat actor tracked as “Star Blizzard” sending selected targets what appeared to be legitimate invitations to join WhatsApp groups, but which actually tricked the user into adding the threat actor’s device as a linked device to the WhatsApp account.

Then in February, the Google Threat Intelligence Group (GTIG) reported increasing efforts from multiple Russia-aligned threat actors to breach Signal messenger accounts used by persons of interest to Russian intelligence services. Their report included the following recommendation (read on for a full list of recommendations):

Exercise caution when interacting with QR codes and web resources purporting to be software updates, group invites or other notifications that appear legitimate and urge immediate action.

Both of these reports came hot on the heels of the following Cybersecurity Advisory from the US Cyber Defence Agency:

Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spearphishing Campaigns

…which identified organisations and individuals in the UK and other areas of interest as the intended targets.

These reports reveal that the threat covers a range of secure messaging apps, including Signal, WhatsApp and Telegram, and serve as a public warning of these attack methods, in the event that they begin to be adopted by the broader hacking community and aimed at a wider range of targets.

GTIG’s claim that Signal is popular amongst common targets of surveillance, including military personnel, politicians, journalists, activists and other at-risk communities is fully confirmed by today’s news story. Let’s take a look at the specific attack vectors being used.

It’s worth noting here that Signal cooperated with GTIG in their investigation, and have already published updates to their app on Android and iOS which include features designed to protect against similar phishing campaigns in the future.

Another reminder of the importance of keeping software updated.

Signal’s ‘Linked Devices’ Feature

Signal, and other secure messaging apps, include a feature which allows users to link devices to their account, enabling the app to be used on multiple devices. Linking a device typically requires the use of a QR code. The most common attack has been through the generation of malicious QR codes that add the threat actor’s device as a linked device to the target’s account, giving them full, live access to all messages sent and received – as well as the ability to send messages which appear to come from the target.

These QR codes have been observed masquerading as legitimate Signal resources, including group invites and security alerts. There have also been more specialised instances of their use, targeting Ukrainian military devices.

Interestingly, the report notes that this method of compromise has been successful due to a lack of centralised methods for detection and defence which can be used to monitor for newly linked devices, stating that a compromised account can go unnoticed for extended periods.

There’s evidence that legitimate group invite pages have been altered to redirect unsuspecting users to a malicious URL, hosted on actor-controlled infrastructure, which links the actor-controlled device to the victim’s account.

Recommend Countermeasures

Recommended countermeasures to protect encrypted communications are as follows:

• Use strong passwords, use separate passwords for email accounts and avoid password reuse across multiple services. See our blog post on password managers here.
• Use multi-factor authentication (MFA). Click here for our blog post on MFA and other security measures.
• Keep devices up to date – operating systems and apps / software that you use. (Also covered in this blog post.)
• Exercise vigilance. Targeted messages are designed to fool you, and they’re getting good at it. Know how to verify the authenticity of messages you receive across all platforms. We can provide managed cybersecurity awareness training to ensure that you and your staff are up to speed on the latest threats and how to spot them. Schedule a chat here.
• Enable automated email scanning, if available, or contact us to discuss comprehensive protection.
• Disable mail forwarding. Attackers have been seen to set up mail-forwarding rules as part of their subterfuge.
• Enable screen lock on all mobile devices using a long, complex password with a mix of uppercase and lowercase letters, numbers and symbols.
• Ensure Google Play Protect is enabled (on Android devices). Google Play Protect checks apps and devices for harmful behaviours and can warn users or block known malicious apps. It’s enabled by default on Android devices with Google Play Services.
• Audit linked devices regularly for unauthorised devices by navigating to the ‘Linked devices’ section in the application’s settings.
• Exercise caution when interacting with QR codes and web resources purporting to be software updates, group invites or other notifications that appear legitimate and urge immediate action.
• If available, use two-factor authentication such as fingerprint, facial recognition, a security key or a one-time code to verify when your account is logged into or linked to a new device.
• iPhone users concerned about targeted surveillance or espionage activity should consider enabling Lockdown Mode to reduce their attack surface.

If you have any concerns about any of this, if you want a general chat about your current cybersecurity posture or want to discuss a cybersecurity audit, please don’t hesitate to get in touch.

Finally, there’s something we want to call out here. We deal with small to medium-sized businesses (SMBs), which often begin as a labour of love, with individuals putting their life’s work into their company to establish it and begin to scale. They tend to be fully invested. Cyber-attacks can happen to anyone. Anyone can be a target, and SMBs increasingly so. In fact a recent ACSC report highlights that 62% of SMBs have already fallen victim to cyberattacks. A report in Cybercrime Magazine back in 2019 (noting that attacks have increased markedly in frequency and sophistication since then) found that 60% of small companies are unable to recover, and close their doors within six months of falling victim to a data breach or other cyber-attack.

Our mission is to ensure that SMBs are as prepared as they can be both to avoid / defend against attacks, and to recover quickly and comprehensively in the event that those defences are breached. Our callout in the meantime is to reduce the stigma of falling victim to an attack. Across the board, people can be tricked into an attack by skilled practitioners. When this happens, there are enough things to worry about, without the stigma of feeling “duped”, “stupid” or “gullible”, so let’s all work to:

• Remove the stigma and recognise these events as mental health events, especially for those fully invested SMB founders and owners. Support each other, and don’t be ashamed to asked for help.
• Educate. Make people (individuals and companies) aware of the threats, and how to protect against them.
• Protect. There are things you can do to protect yourself from these threats, and things you can to to enable recovery after a cyber incident. Know the current threat landscape and protect yourself accordingly – or partner with an organisation that can do this for you.

Don’t be afraid. Be ready.

Contact us if you want to discuss any of this, or see how we can help with your cybersecurity posture.