TL;DR
A cybersecurity researcher exposed a Russian hacking campaign targeting Signal users, including high-profile figures. The hackers used phishing tactics and automated tools to compromise accounts, with ongoing attacks confirmed. The investigation highlights the threat posed by state-backed cyber espionage.
A cybersecurity researcher has revealed a targeted hacking campaign by Russian government-backed hackers attempting to hijack Signal messaging accounts, affecting more than 13,500 users including politicians and journalists.
Donacha Ó Cearbhaill, a security researcher at Amnesty International’s Security Lab, discovered that the hackers used a tool called ApocalypseZ to automate their attack efforts, targeting large numbers of Signal users in bulk. The hackers impersonated Signal support, sent phishing messages, and attempted to trick users into revealing verification codes, which would allow them to gain control of accounts.
Ó Cearbhaill identified that the attack infrastructure was operated in Russian, with the codebase and interface language in Russian, and observed that the hackers were translating victim chats into Russian. He linked this campaign to broader efforts by Russian state-backed actors, as confirmed by multiple Western cybersecurity agencies, including CISA and UK cybersecurity officials, who have warned of similar campaigns.
Why It Matters
This development underscores the ongoing threat of state-sponsored cyber espionage targeting secure messaging platforms. The campaign’s scale, involving thousands of targets, including high-profile individuals, highlights the vulnerabilities in encrypted communication tools and the persistent efforts by nation-states to compromise political, journalistic, and diplomatic figures. It raises concerns about the security of personal and professional communications and the potential for espionage and misinformation.
Thetis Pro For Business – FIDO2 Security Key L2 MFA & NFC Passkey Access For School ERP, Employee Online Account, Compatible with Coinbase Google Workspace Apple ID Window Salesforce,Dual USB A +USB C
FIDO2 & Passkey Ready: Business-ready and FIDO2 L2 certified. This key is supported by major management suites and…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Earlier this year, security researchers and intelligence agencies identified Russian hackers attempting to infiltrate various communication platforms, including Signal. The campaign, which has been linked to Russian state-backed groups, uses automated tools to identify and target potential victims, especially those with high-profile or sensitive roles. Signal has issued warnings to its users about phishing attempts, and authorities have increased awareness of the threat landscape surrounding encrypted messaging apps.
“Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up.”
— Donncha Ó Cearbhaill
“I am convinced this was the same Russian government hacking group behind similar campaigns.”
— Ó Cearbhaill
“The campaign aligns with previous activity attributed to Russian government actors targeting encrypted communication platforms.”
— Cybersecurity agencies (CISA, UK NCSC)
McAfee Total Protection with Scam Detector | Avoid Phishing Emails, Texts, Video and QR Code Scams with Scam Protection Software App for iPhone & Android | 1-Year Subscription with Auto-Renewal
ALL-IN-ONE SCAM PROTECTION – Stop sophisticated phishing attacks before they reach you; our scam detection helps you avoid…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
While the campaign’s infrastructure and methods have been identified, the full scope of targets remains unclear, and it is not confirmed whether the hackers have succeeded in gaining long-term access to any accounts. The extent of the campaign’s impact on high-profile individuals and government officials is still being assessed, and the hackers’ ultimate objectives are not fully known.
Gyliziex Indoor Security Camera 2 Packs, 2K 5G WiFi Baby/Pet/Dog/Nanny Cameras for Home Security, 360 PTZ Security Cameras with US Servers Phone App, 911 One-Tap Call,AI Smart Detection
【Smart 911 Alerts- Your Home Alarm System】: Cameras Indoor equipped with high-precision sensors that monitor real-time anomalies (e.g.,…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Authorities and Signal are expected to enhance security measures and issue further warnings. Monitoring of ongoing attacks continues, and investigations are likely to identify additional victims and infrastructure. Signal users are advised to enable security features such as Registration Lock to protect their accounts.
Thetis Pro FIDO2 Security Key, Two Factor Authentication NFC Security Key FIDO 2.0, Dual USB A Ports & Type C for Multi layered Protection (HOTP) in Windows/MacOS/Linux, Gmail, Facebook,Dropbox,Github
Check FIDO2 compatibility before purchase – Known limitations: ID Austria is not supported (requires FIDO2 Level 2). Windows…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How are the hackers attempting to hijack Signal accounts?
The hackers use phishing messages impersonating Signal support, tricking users into revealing verification codes, and deploying automated tools to target large groups of users.
Who is believed to be behind these attacks?
Multiple cybersecurity agencies attribute the campaign to Russian government-backed hacking groups, based on technical indicators and language used in the infrastructure.
What can Signal users do to protect themselves?
Users are advised to enable the Registration Lock feature, which requires a PIN to register the account on new devices, and to remain vigilant against phishing attempts.
Are high-profile targets involved?
Yes, reports indicate that politicians, journalists, and other prominent figures have been targeted, though the full scope of affected individuals is still being investigated.
