Multiple Russia-aligned threat actors actively targeting Signal Messenger

Original Article ↗ Hacker News Discussion ↗

Summary of the Attack

  • Commenters distill the report as primarily phishing: fake Ukrainian military Signal group invites (web pages / QR codes) that actually trigger Signal’s “link device” flow to an attacker-controlled desktop client.
  • Some campaigns also attempt to exfiltrate Signal databases from Windows and Android devices.
  • People note that Google published concrete malicious domains, which others inspect and debate.

Linked Devices, QR Codes, and UX Debates

  • Many see this as an inherent risk of any “linked devices” feature: if you can add a new device, that device can silently receive all future messages.
  • There’s criticism that linking can be initiated by an external sgnl://linkdevice URI, and concern that scanning a QR or clicking a link can effectively do the link with minimal user friction.
  • Others defend Signal’s current UX: primary device must still confirm, a prominent in‑app prompt exists, and over‑notifying users leads to fatigue.
  • Proposed mitigations: permanent “N linked devices” indicator, geo‑based anomaly alerts, an option to forbid linking altogether, and future key transparency so hidden devices become detectable.

Military Context and Smartphone Use in War

  • Several infer or restate that one attack path includes capturing phones from dead soldiers.
  • Discussion broadens to how both sides in the Ukraine war use smartphones (Signal, Discord, mapping and artillery apps) versus radios. Encrypted military radios exist, but phones are widely used because they’re flexible and familiar.
  • Risk tradeoffs are debated: phones are more secure than many legacy radios, but also store sensitive data and can leak locations.

Signal vs Other Messengers & Adoption Challenges

  • Some see the targeting as a backhanded compliment: if Russia has to phish, Signal’s core crypto is holding up. Others caution that this doesn’t prove stronger, undisclosed attacks don’t exist.
  • Long subthread on persuading people to use Signal: social pressure (“I only use Signal”), ease of onboarding, high‑quality media, and privacy arguments.
  • Comparisons with WhatsApp: both use the Signal protocol, but WhatsApp’s metadata collection and contact uploads are viewed as a major downside. Some still accept WhatsApp for social reasons; others prefer SMS over Meta services.

Security Model, Linked‑Device Weaknesses, and Threat Models

  • A linked academic paper is discussed: if an attacker compromises the long‑term identity key (e.g., via root on a device or backups), they can add devices without user involvement and potentially break forward secrecy even after unlinking.
  • One side argues that once your long‑term key is stolen you are “already lost,” so this isn’t uniquely alarming. Others counter that users reasonably expect revoking a device to actually cut it off from future messages, and that Signal previously downplayed this class of risk.
  • Commenters stress that phishing and endpoint compromise (malicious apps, browser extensions, OS backdoors) are far easier in practice than attacking the Signal protocol itself.

Disinformation, Attribution, and Geopolitics

  • Some are skeptical of Google’s framing of “Russia‑aligned” actors, highlighting fake WHOIS data, the fog of war, and potential one‑sidedness in reporting attacks from only one side.
  • Others argue that, given Ukrainian‑language lures aimed at Ukrainian military migrating off Telegram, Russian origin is the most plausible reading and that constant doubt can shade into unhelpful FUD.
  • There are tangents about Russia’s broader information operations, social‑media propaganda, and the fragility of democracies to such campaigns.

Broader Reflections on E2E Encryption and Trust

  • Several note that E2E crypto only protects data in transit; compromised clients, OSes, app stores, or hardware can exfiltrate plaintext with a one‑line HTTP request.
  • Reproducible builds, certificate transparency, and future key‑transparency logs are suggested as ways to make misbehavior detectable, not impossible.
  • Some worry that using Signal may even mark users as interesting targets to powerful adversaries, though others emphasize that it still greatly raises the cost of mass surveillance.