A spyware investigator has uncovered Russian government hackers trying to hijack Signal accounts

Earlier this year, Doncha O Sirbhil, a security researcher who investigates spyware attacks, found himself in an unusual situation. For once, he became a target for hackers.

“Dear user, this is the Signal Security Support ChatBot. We have noticed suspicious activity on your device, which could lead to a data leak,” read a message he received on his Signal account.

“We have also detected attempts to access your private Signal data,” the message claimed.

“To prevent this, you must pass the verification procedure, and enter the verification code into the Signal Security Support Chatbot. Do not tell anyone the code, not even Signal employees.”

Clearly, O Kerbhill, who heads Amnesty International’s Security Lab, immediately realized that this was an “unwise” attempt to hack his Signal account. Instead, he thought it would be a good opportunity to jump into an unexpected investigation.

The researcher told TechCrunch that even then, he had never been “intentionally” targeted by a one-click cyberattack or phishing attempt like this before.

“Having the attack land in my email, and the opportunity to turn the tables on the attackers and understand more about the campaign, was too good to pass up,” he said.

As it turns out, the attempted attack on Ó Cearbhaill was likely part of a broader hacking campaign targeting a large group of Signal users. The hackers’ strategies were to impersonate Signal, warn of false security threats, and attempt to trick targets into giving the hackers access to their account by linking it to a device controlled by the hackers.

These techniques were very similar to those seen in a broader campaign in which the US cybersecurity agency CISA, the UK’s Cyber ​​Security Agency, and Dutch intelligence warned of the attacks, blaming Russian government spies. Signal also warned of phishing attacks targeting its users. German news magazine Der Spiegel found that Russian hackers were able to infiltrate several people inside the country, including prominent politicians.

Ó Kerbhill said in a series of online posts that he was able to discover that he was one of more than 13,500 targets. He declined to reveal exactly how he investigated the hacking attempt and the campaign to avoid revealing his hand to hackers, but he did share some details about what he learned.

First, he realized that other targets included journalists he worked with, as well as a colleague. At that point, Ó Cearbhaill said he already suspected this was an opportunistic attack where hackers compromised targets and identified new potential victims, thanks to those successful attacks.

Ó Serbhill described it as a “snowball hypothesis,” and said he was convinced he became a target because he was likely in a group chat with someone who had been hacked, giving hackers an opportunity to find the contact information of new targets.

The researcher said he was able to identify the system the hackers were using, called “ApocalypseZ,” which automates the attack, allowing hackers to target many people at the same time in large quantities with limited human oversight.

It was also found that the code base and launcher interface were in Russian, and the hackers were translating victims’ conversations into Russian, which is consistent with the hypothesis that this is the same Russian government hacking group behind similar campaigns.

Ó Kerbhill said he is still monitoring the campaign, and has seen attacks continue, meaning the total number of targets is certainly much higher than the number he saw earlier this year.

He said he doubted the hackers would come after him again, and might regret going after him in the first place. “I welcome future messages, especially if they have zero days that they want to share,” he said, referring to vulnerabilities the vendor is not yet aware of, which are often used in attacks he investigates.

Ó Cearbhaill said that if Signal users are concerned about being targeted for this type of attack, they should turn on Registration Lock, a feature that allows users to set a PIN for their account that prevents others from registering their phone numbers on a different device.