In an intriguing turn of events earlier this year, Donncha Ó Cearbhaill, a prominent security researcher focused on spyware, found himself on the receiving end of a hacking attempt. This unusual situation arose when he received a message on his Signal account that read, "Dear User, this is Signal Security Support ChatBot. We have noticed suspicious activity on your device, which could have led to data leak."
The message further claimed, "We have also detected attempts to gain access to your private data in Signal," urging him to complete a verification process that involved sharing a code with the so-called support chatbot. Recognizing this as a phishing attempt, Ó Cearbhaill, who leads Amnesty International's Security Lab, seized the opportunity to investigate the incident.
He shared with TechCrunch that this was his first encounter with such a direct cyberattack. "Having the attack land in my inbox, and the chance to turn the tables on the attackers and understand more about the campaign was too good to pass up," he noted.
It soon became evident that Ó Cearbhaill's experience was part of a broader hacking initiative targeting numerous Signal users. The attackers employed tactics such as impersonating Signal and fabricating security threats to deceive users into granting them access to their accounts.
These strategies align with warnings issued by various cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's cybersecurity authority, which have attributed these attacks to Russian government operatives. Signal has also alerted its users about the rising phishing threats.
Ó Cearbhaill discovered that he was among over 13,500 individuals targeted in this campaign. While he refrained from disclosing specific investigative methods to keep the hackers unaware, he did share insights into the situation. He identified that many of the targets were journalists and colleagues within his network, suggesting that the hackers were exploiting compromised accounts to discover new victims.
He referred to this phenomenon as the "snowball hypothesis," theorizing that his inclusion in a group chat with a hacked individual likely made him a target. He also identified the hackers' operational system, dubbed "ApocalypseZ," which automates attacks, allowing for mass targeting with minimal oversight.
Further analysis revealed that the hackers utilized Russian language tools to translate victim communications, reinforcing the connection to the Russian hacking group behind similar operations. Ó Cearbhaill continues to monitor the situation, noting that the number of targeted individuals is likely to be even higher than previously estimated.
Despite the attempt, he expressed confidence that the hackers might reconsider targeting him again. He humorously welcomed future communications, especially if they included undisclosed security vulnerabilities. For Signal users concerned about similar attacks, he recommends activating the Registration Lock feature, which secures accounts by requiring a PIN to register a phone number on a different device.
