Weeks before US officials used Signal for war plans, Google outlined how Russia hacked it in Ukraine

Weeks before top US officials discussed war plans on Signal, Google had outlined how Russia had used the app to hack accounts of persons of interest in Ukraine.

In a report in February, the Google Threat Intelligence (GTI) group said that Russian hackers from its military intelligence service GRU had used a number of ways to compromise Signal accounts of persons of interest in Ukraine during the ongoing war. The report highlighted the many ways in which hackers gained access to users’ messages, such as by duping them into scanning malicious QR codes or making them click on links resembling group invitations.

The findings of the report put the conduct of top US officials, including Vice President JD Vance, Secretary of State Mark Rubio, Secretary of Defense Pete Hegseth, and National Security Advisor Mike Waltz, into greater scrutiny, who used Signal to discuss the operational plans to attack the Houthis in Yemen last week.

In one of the worst security breaches in years, Waltz added a journalist, The Atlantic’s Editor-in-Chief Jeffrey Goldberg, to a group on Signal on which he and others, including Vance, Rubio, and Hegseth, deliberated on strikes on Houthis. Hegseth even shared full operational plans on the group that contained exact information about weapons, targets, and timing of the strikes. In the hands of an adversary, the information could have been damning for the United States and an ally involved.

Despite being hailed as a highly secure app, Signal is not authorised by the US government for use for national security or intelligence matters by officials.

How Russia hacked Signal in Ukraine

Russian GRU hackers from the group called ‘APT44’ have gained access to Ukrainian Signal accounts, according to the report by Google researchers.

In one technique, Russian hackers abused the ’linked devices’ feature of Signal that allows users to access their accounts on tablets or computers in addition to their phones. Similar features exist in other messaging applications, such as WhatsApp or Telegram.

As such linking happens by scanning QR codes, the hackers tricked Ukrainian persons of interest into scanning malicious QR codes that linked their accounts to hackers’ devices as well, according to Google’s researchers.

Once successful, they said that hackers received messages of the targeted user in real-time.

In another technique, a group dubbed UNC5792 used realistic links disguised as invitations to join Signal groups to make users click them.

Once the user would click on such a link, they would be directed to a page where they would be linked to the hacker’s device instead of being added to a group, according to Google’s researchers.

ALSO READ: Russia-backed hackers attack WhatsApp accounts used by ministers, govt. officials across the world

To be sure, however, Signal itself was not hacked and its end-to-end encryption was not broken by Russian hackers.

In addition to attacks during the ongoing war, APT44 has also attacked Ukraine previously in 2015 when it struck the country’s power grid and in 2017 when the fallout spilled over into the West. In the NotPetya attack of 2017, Western companies such as Maersk, Merck, and FedEx, were affected and suffered estimated damages of around $10 billion. The group has also been linked to Tokyo Olympics in 2021 and South Korea Winter Olympics in 2018.

US officials’ use of Signal under scrutiny

As demonstrated in Google’s report, Signal, or any app for that matter, is not completely free from the risk of being compromised. Even if the app itself is not hacked, users could be manipulated by hackers into granting them access. This is why the usage of Signal by top US officials is highly problematic.

Such discussions are held over secure in-house devices and networks authorised by the US federal government. In person, during such meetings, attendees are usually required to deposit their phones outside of the room. The usage of Signal violates every single rule in the book.

ALSO READ: Who is Jeffrey Goldberg, the journalist who uncovered a US war plan by accident?

It’s not just the usage of app among themselves that’s problematic but the addition of a journalist to their discussion — purportedly unknowingly. By leaking, even if unknowingly operational plans to an unauthorised person, Hegseth and others could technically even be liable for prosecution under the Espionage Act.

Moreover, even though the journalist in this case, The Atlantic’s Editor Goldberg, did not make operational plans public, someone in his place, perhaps someone aligned with an adversary, could have done so and compromised the operation or risked exposure of spies or intelligence sources.