Donncha Ó Cearbhaill, head of Amnesty International Security Lab, said he uncovered details of a large-scale phishing campaign targeting Signal users after hackers attempted to compromise his own account earlier this year through messages impersonating Signal security support.
Ó Cearbhaill said he received a message on Signal claiming to come from “Signal Security Support ChatBot.” The message warned of alleged suspicious activity and instructed him to complete a fake verification process by providing a verification code.
The phishing message stated that attackers were attempting to access his Signal data and instructed him not to share the verification code with anyone, including Signal employees.
Ó Cearbhaill immediately recognized the message as a phishing attempt intended to gain control of his account by linking it to a device controlled by the attackers.
The researcher told TechCrunch he had never knowingly been targeted by a one-click cyberattack or phishing campaign before.
“Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up,” he said.
Researcher Connects Attack To Wider Signal Phishing Campaign
According to Ó Cearbhaill, the phishing operation appeared to be part of a much larger campaign targeting Signal users in bulk.
The attackers used techniques previously identified in warnings issued by the U.S. cybersecurity agency CISA, the United Kingdom’s cybersecurity authorities, and Dutch intelligence agencies. Those warnings linked similar Signal phishing operations to Russian government-backed hacking groups.
Signal has also previously warned users about phishing attacks targeting its platform.
German publication Der Spiegel previously reported that Russian-linked hackers had successfully compromised multiple individuals in Germany, including politicians.
Ó Cearbhaill said his investigation suggested that more than 13,500 people may have been targeted in the campaign.
He declined to disclose the full technical details of how he investigated the phishing operation, saying he did not want to reveal investigative methods to the attackers. However, he shared several findings publicly.
Researcher Describes “Snowball” Targeting Method
Ó Cearbhaill said he identified journalists he had previously worked with and one of his colleagues among the targets.
He said he believes the attackers expanded the campaign opportunistically by compromising some users and then identifying additional targets through group chats and contact lists connected to those accounts.
The researcher described this as a “snowball hypothesis.”
According to Ó Cearbhaill, he likely became a target because he participated in a group chat with someone whose Signal account had already been compromised.
That access may have allowed attackers to gather his contact information and target him directly.
Attack Infrastructure Linked To Russian-Language System
Ó Cearbhaill said he identified the system used by the attackers, which he referred to as “ApocalypseZ.”
According to the researcher, the platform automates phishing operations, allowing attackers to target large numbers of users simultaneously with limited manual oversight.
He also said the system’s codebase and operator interface were written in Russian and that attackers translated victims’ chats into Russian during operations.
Ó Cearbhaill said those details support the theory that the campaign was connected to the same Russian government-linked hacking groups previously associated with similar attacks.
The researcher said the phishing activity has continued beyond the period he initially investigated and that the number of targets is likely now much higher than the 13,500 accounts he identified earlier this year.
He added that he does not expect attackers to target him again.
“I welcome future messages, especially if they have zero-days they would like to share,” Ó Cearbhaill said, referring to previously unknown software vulnerabilities frequently used in advanced cyberattacks.
Researcher Recommends Registration Lock For Signal Users
Ó Cearbhaill advised Signal users concerned about similar attacks to enable Registration Lock, a security feature that requires a PIN before a Signal account can be registered on another device.
The feature is designed to prevent attackers from taking over accounts by registering victims’ phone numbers elsewhere.
Featured image credits: PxHere.com
For more stories like it, click the +Follow button at the top of this page to follow us.