Earlier this year, Donncha Ó Cearbhaill, a security researcher investigating spyware attacks, found himself in an unusual position. Once he became a target of hackers.
“Dear User, This is a Signal Security Support ChatBot. We have observed suspicious activity on your device that may have led to a data leak,” read the message he received on his Signal account.
“We have also detected attempts at Signal to gain access to your personal information,” the message said.
“To avoid this, you must go through the verification process by entering the verification code into the Signal Security Support Chatbot. DO NOT TELL ANYONE, NOT EVEN SIGNAL EMPLOYEES.”
Obviously, Ó Cearbhaill, who heads Amnesty International’s Security Lab, immediately recognized that this was a “foolish” attempt to hack his Signal account. Instead, he thought it would be a good opportunity to start an unexpected investigation.
The researcher told TechCrunch that it had “never been deliberately targeted” until then one click cyber attack or a previous such phishing attempt.
“Having the attack hit my inbox and the chance to turn the attackers around and learn more about the campaign was too good to pass up,” he said.
As it turns out, the attempted attack on Ó Cearbhaill was likely part of a wider hacking campaign targeting a large group of Signal users. The hackers’ strategies included impersonating Signal, warning of fake security threats, and tricking targets into linking to a hacker-controlled device and giving hackers access to their accounts.
These techniques were the same as those seen in a larger campaign US cyber security agency CISAthe The UK’s cyber security agencyand Dutch intelligenceall warned of attacks and blamed Russian government spies. There is also an alarm warned about phishing attacks targets its users. German news magazine Mirror found He said that Russian hackers were able to compromise several people in the country, including high-profile politicians.
From Carball says a number of online posts That he was able to understand that he was one of more than 13500 targets. He declined to reveal exactly how he investigated the hacking attempt and campaign to avoid revealing his hand to hackers, but did share a few details about what he learned.
First, he realized that among the other targets was his colleague, along with the journalists he worked with. At the time, Ó Cearbhaill said he already suspected it was an opportunistic attack, where hackers were targeting targets and identifying new potential victims through these successful attacks.
Ó Cearbhaill called it a “snowball hypothesis” and said he believed he was targeted because he was in a group chat with someone who had been attacked, which gave hackers a chance to find new targets’ contact information.
The researcher said he was able to identify the system used by the hackers, called “ApocalypseZ,” which automates the attack and allows hackers to target multiple people at once with limited human supervision.
It also found that the codebase and operator interface were in Russian, and that the hackers were translating victim chats into Russian, suggesting that the same Russian government hacking group was behind similar campaigns.
Ó Cearbhaill said he is still monitoring the campaign and seeing attacks continue, meaning the total number of targets is higher than what he saw earlier this year.
He said he doubted the hackers would come after him again, and that he probably regrets going after him in the first place. He said: “I welcome future messages, especially if they have zero days they want to share.” security flaws It is often used in attacks that are not yet known to the vendor and are being investigated.
Ó Cearbhaill said Signal users were concerned about being targeted by such attacks Registration Locka feature that allows users to set a PIN for their account that prevents others from registering their phone number on a different device.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
