Russia-aligned cyber actors have previously targeted the encrypted messaging app that was used by top officials in the Trump administration to discuss attacks against Houthi rebels in Yemen earlier this month.
Google Threat Intelligence Group said it had observed an increased effort by cyber actors associated with the Kremlin to compromise Signal accounts of interest to Russian intelligence in a February report.
“While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia’s re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” Google noted.
The Russia-aligned cyber actors have used Signal’s linked devices feature to compromise accounts, according to the Google report. The feature allows a Signal account to be on multiple devices at once.
The cyber actors have used malicious QR codes to link to victims’ accounts, allowing them to receive all future messages and eavesdrop on victims’ conversations. They posed the QR codes as legitimate Signal resources, such as group invites or security alerts, or embedded them in phishing pages.
Google warned there’s a “high risk” that a compromised Signal account can go unnoticed for an extended period of time.
The encrypted messaging platform has received additional scrutiny since Jeffrey Goldberg, the editor-in-chief of The Atlantic, revealed Monday that he had been mistakenly added to a Signal chat with top Trump officials on the app where they discussed war plans.
The chat featured Defense Secretary Pete Hegseth, national security adviser Mike Waltz, Vice President Vance, Secretary of State Marco Rubio, Director of National Intelligence Tulsi Gabbard and CIA Director John Ratcliffe.
In the chain, where Goldberg’s presence appears to have gone unnoticed for several days, Hegseth reportedly sent details about weapons used, targets, and timing just hours before the strikes in Yemen took place.
The Atlantic editor wrote that he initially doubted the chat was real “because I could not believe that the national-security leadership of the United States would communicate on Signal about imminent war plans.”
Brian Hughes, the spokesperson for the National Security Council, said Monday that the text chain appeared to be “authentic” and that the administration is “reviewing how an inadvertent number was added to the chain.”
However, the White House sought to downplay the significance of the breach Tuesday, with press secretary Karoline Leavitt arguing that no “war plans” were discussed in the thread and no classified materials were shared.
