The recent revelation of Russian government hackers attempting to hijack Signal accounts has brought attention to the vulnerabilities of messaging apps and the importance of cybersecurity. This incident, uncovered by security researcher Donncha Ó Cearbhaill, highlights the sophisticated tactics employed by state-sponsored hackers and the potential risks faced by individuals and organizations alike.
Ó Cearbhaill, who heads Amnesty International’s Security Lab, received a suspicious message on his Signal account, warning of potential data leaks and prompting him to take action. Instead of falling victim, he decided to turn the tables on the attackers, providing an opportunity to investigate the broader campaign.
The attack on Ó Cearbhaill was part of a larger hacking campaign targeting Signal users, using tactics such as impersonating Signal, warning of bogus security threats, and tricking targets into giving the hackers access to their accounts. This strategy aligns with warnings from cybersecurity agencies in the U.S., U.K., and the Netherlands, all pointing to Russian government spies as the culprits. Signal itself has also issued warnings about phishing attacks targeting its users.
Ó Cearbhaill's investigation revealed that he was one of over 13,500 targets, including journalists he had worked with and a colleague. He suspected an opportunistic approach where hackers compromised targets and identified new potential victims through those successful attacks, a phenomenon he called the "snowball hypothesis."
The researcher identified the system used by the hackers, named "ApocalypseZ," which automates the attack, allowing for bulk targeting with limited human oversight. The codebase and operator interface are in Russian, and the hackers translated victim chats into Russian, further supporting the hypothesis that this was the same Russian government hacking group behind similar campaigns.
Despite the initial attack, Ó Cearbhaill believes the hackers will not target him again, and he welcomes future messages, especially if they contain zero-day vulnerabilities. He suggests that Signal users concerned about similar attacks should enable Registration Lock, a feature that adds an extra layer of security to their accounts.
This incident underscores the ongoing threat of state-sponsored hacking and the need for individuals and organizations to remain vigilant. As messaging apps continue to play a crucial role in communication, ensuring their security is paramount to protecting sensitive information and maintaining privacy in an increasingly digital world.
