The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned Russian intelligence is using commercial messaging applications to gain access to individual’s accounts.
In a joint public service announcement, the agencies said Russian Intelligence Services has compromised individual CMA accounts, but not the CMAs or their encryption. Using phishing scams, RIS is able to view victims’ messages and contact lists, send messages and conduct additional phishing scams against other CMA accounts.
The agencies said reporting shows the threat actors target Signal accounts, and that the individuals they are targeting through the phishing scams are individuals of high intelligence value like current and former U.S. government officials, military personnel, political figures and journalists.
“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the agencies said in their PSA. “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures.”
Officials said the RIS cyber actors send phishing messages masquerading as automated CMA support accounts. The actors tailer the messages to deceive the targets into taking an action like clicking through a link or providing account PINs. If the user does the requested action, they provide the actors with access to their account, either by adding the attacker’s device as a linked device or providing them with a full account takeover.
The agencies recommended CMA users to stop all interaction with any message that feels off and to treat all unknown messages with suspicion. The agencies further recommend users to never share your PIN or two-factor authentication codes for an action they did not initiate, and to verify group chats regularly to look for duplicate or fake participants.