Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces. In February 2025, Google Threat Intelligence Group (GTIG) reported that Russian hackers were abusing the legitimate "Linked Devices" feature in Signal to gain unauthorized access to accounts of interest. Signal users who consider themselves potential targets of espionage and spear-phishing attacks should turn off automatic downloads of attachments and be cautious of all messages, especially those containing files. "Starting in February 2025, the bait messages have shifted their focus to topics related to UAVs, electronic warfare systems, and other military technologies," explains CERT-UA in its recent bulletin. The bulletin mentions that the attacks started this month, with Signal messages containing archives posing as meeting reports. CERT-UA says the activity has been tracked under UAC-0200, a threat cluster employing Signal in similar attacks since June 2024. However, in recent attacks, the phishing lures have been updated to reflect current vital topics in Ukraine, especially those related to the military sector. Additionally, it is recommended that the list of linked devices on Signal be regularly checked to avoid becoming a proxy for attacks. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Finally, Signal users should update their messenger apps to the latest version on all platforms and enable two-factor authentication for additional account protection.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 19 Mar 2025 20:35:06 +0000