Earlier this year, Donncha Ó Cearbhaill, a security researcher investigating spyware attacks, found himself in an unusual position. For once he was targeted by hackers.
“Dear User, this is the Signal Security Support ChatBot. We’ve noticed suspicious activity on your device that could lead to a data leak,” read a message he received on his Signal account.
“We have also detected attempts to access your personal data on Signal,” the message claimed.
“To avoid this, you must go through the verification process by entering the verification code in the Signal Security Support Chatbot. DO NOT TELL ANYONE THE CODE, EVEN SIGNAL EMPLOYEES.”
Apparently, Ó Cearbhaill, who heads Amnesty International’s Security Lab, immediately recognized that this was a “ridiculous” attempt to hack his Signal account. Instead, he thought it would be a good opportunity to go on an unexpected investigation.
The researcher told TechCrunch that until then, he had “never knowingly” been targeted with a one-click cyberattack or phishing attempt like this before.
“Having the attack in my inbox and the opportunity to thwart the attackers and understand more about the campaign was too good to pass up,” he said.
As it turned out, the attempted attack on Ó Cearbhaill was likely part of a wider hacking campaign targeting a large group of Signal users. The hackers’ strategies were to mimic Signal, warn of fake security threats, and try to trick targets into giving hackers access to their account by connecting it to a device controlled by the hackers.
These techniques were exactly the same as those seen in a larger campaign that the US cyber security agency CISAthe UK Cyber Security Agencyand Dutch intelligence agencies have warned and blamed Russian government spies. The badge, too, has warned of phishing attacks targeting its users. German news magazine Found Der Spiegel that Russian hackers were able to compromise several people inside the country, including high-profile politicians.
Ó Cearbhaill he said in a series of online posts that he was able to tell that he was one of more than 13,500 targets. He declined to reveal exactly how he investigated the hacking attempt and the campaign to avoid revealing his hand to the hackers, but did share some details about what he learned.
First, Ó Cearbhaill realized that other targets included journalists he had worked with, as well as a colleague. At that point, he said he already suspected it was an opportunistic attack where hackers breached targets and identified new potential victims thanks to these successful attacks.
Cearbhaill called it an “avalanche case” and said he’s convinced he was targeted because he was likely in a group chat with someone who was hacked, which gave hackers an opportunity to find new targets’ contact information.
The researcher said he was able to identify the system used by the hackers, called ‘ApocalypseZ’, which automates the attack, allowing hackers to target multiple people at once with limited human supervision.
Contact us
Do you have more information about attacks against Signal users? Or other targeted attacks? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
It also found that the codebase and user interface are in Russian, and the hackers were translating victims’ conversations into Russian, which is consistent with the assumption that this was the same group of Russian government hackers behind similar campaigns.
Cearbhaill said he is still following the campaign and has seen the attacks continue, meaning the total number of targets is certainly much higher than the number he saw earlier this year.
He said he doubts the hackers will come after him again and will likely regret ever going after him in the first place. He said: “I welcome future messages, especially if they have zero days they would like to share,” referring to security flaws not yet known to the vendor that are often used in attacks he is investigating.
Cearbhaill said that if Signal users are concerned about being targeted with this type of attack, they should enable Registration locka feature that allows users to set a PIN for their account that prevents others from entering their phone number on a different device.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
