Russian hackers attacked Ukrainian government institutions via Signal

The goal of the attacks is to gain remote access to computers for espionage and data theft, according to the State Special Communications Service.

CERT-UA cyber experts explained how it works:

1. The attack begins with an attacker, well-informed about their target, sending a Microsoft Word document (e.g. "Act.doc") with an embedded macro via Signal.
2. After opening a document and activating a macro on a computer, a hidden infection mechanism is launched, and malicious code is embedded in the system.
3. The next step is to activate a component of the hacking framework COVENANT in the computer's memory. It uses the API of the legitimate cloud service Koofr to receive commands from the attackers.
4. COVENANT downloads and runs a core spyware program, the BEARDSHELL backdoor, onto a computer. This program gives hackers complete control over the affected device.

The State Special Communications Service urges not to open suspicious files and not to enable macros in documents received even through instant messengers.

Hackers are using Signal to send phishing links to defense industry employees and military personnel. What to avoid

On the topic

Hackers are using Signal to send phishing links to defense industry employees and military personnel. What to avoid

NSDC accuses Signal of inaction in the face of Russian cyber threats

On the topic

NSDC accuses Signal of inaction in the face of Russian cyber threats

Google Threat Intelligence reports that Russian hackers have invented new ways to spy on Ukrainian military accounts on Signal.

On the topic

Google Threat Intelligence reports that Russian hackers have invented new ways to spy on Ukrainian military accounts on Signal.

Read the country's main IT news in our Telegram

On the topic

Read the country's main IT news in our Telegram