A spyware investigator exposed Russian government hackers trying to hijack Signal accounts

Earlier this year, Donncha Ó Cearbhaill, a security researcher who investigates spyware attacks, found himself in an unusual position. For once, he became the target of hackers.

“Dear User, this is Signal Security Support ChatBot. We have noticed suspicious activity on your device, which could have led to data leak,” read a message he received on his Signal account. 

“We have also detected attempts to gain access to your private data in Signal,” the message claimed.

“To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot. DON’T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES.”

Obviously, Ó Cearbhaill, who heads Amnesty International’s Security Lab, immediately recognized that this was an “unwise” attempt at hacking his Signal account. Instead, he thought it’d be a good opportunity to jump into an unexpected investigation. 

The researcher told TechCrunch that until then, he had “never knowingly” been targeted with a one-click cyberattack or a phishing attempt like this before.

“Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up,” he said.

As it turned out, the attempted attack on Ó Cearbhaill was likely part of a wider hacking campaign targeting a large group of Signal users. The hackers’ strategies were to impersonate Signal, warn of bogus security threats, and try to trick targets into giving the hackers access to their account by linking it to a device controlled by the hackers.

Those techniques were exactly the same as those seen in a wider campaign that the U.S. cybersecurity agency CISA, the United Kingdom’s cybersecurity agency, and Dutch intelligence, have all warned of the attacks, and blamed on Russian government spies. Signal, too, has warned of phishing attacks targeting its users. German news magazine Der Spiegel found that the Russian hackers were able to compromise several people inside the country, including high-profile politicians. 

Ó Cearbhaill said in a series of online posts that he was able to figure out that he was one of more than 13,500 targets. He declined to reveal exactly how he investigated the hacking attempt and campaign to avoid revealing his hand to the hackers, but shared a few details about what he learned.

First, he realized that other targets included journalists he had worked with, as well as a colleague. At that point, Ó Cearbhaill said he already suspected this was an opportunistic attack where hackers compromised targets and identified new potential victims, thanks to those successful attacks. 

Ó Cearbhaill called it a “snowball hypothesis,” and said he is convinced he became a target because he was likely in a group chat with someone who got hacked, which gave the hackers a chance to find the contact information of new targets. 

The researcher said he was able to identify the system the hackers were using, which is called “ApocalypseZ,” which automates the attack, allowing the hackers to target many people at the same time in bulk with limited human oversight. 

He also found that the codebase and operator interface is in Russian, and the hackers were translating victim chats into Russian, which lines up with the hypothesis that this was the same Russian government hacking group behind similar campaigns. 

Ó Cearbhaill said that he’s still monitoring the campaign, and has seen the attacks continue, meaning the total number of targets is certainly much higher than the number he saw earlier this year. 

He said he doubts the hackers will go after him again, and probably regret going after him in the first place. He said: “I welcome future messages, especially if they have zero-days they would like to share,” referring to security flaws that are not yet known to the vendor, which are often used in attacks that he investigates.

Ó Cearbhaill said that if Signal users are worried about getting targeted with this type of attack, they should turn on Registration Lock, a feature that lets users set a PIN for their account that prevents others from registering their phone number on a different device.