Campaigns
Russian Intelligence Services Targeting Commercial Messaging Applications Campaign

Russian Intelligence Services Targeting Commercial Messaging Applications Campaign

Russian IntelligenceSignal PhishingDevice Linking AbuseCyber EspionageCredential Theft
Russian Intelligence Services (RIS) are conducting an ongoing campaign that compromises Signal, WhatsApp, and Telegram accounts belonging to government officials, military personnel, journalists, and activists across Ukraine, Europe, and the United States by impersonating messaging-platform support and abusing the legitimate device-linking feature.

Indicators of Compromise

groups-signal.site
group-teneta.online
teneta.add-group.site
signalgroup.site
helperanalytics.ru
signal-groups-add.com
signal-device-off.online
signal-group-add.com
confirm-signal.site
add-signal-groups.com
teneta.group
group-signal.com
group.kropyva.site
signal-group.tech
teneta.join-group.online
signal-protect.host
signal-groups.site
signal-groups.tech
signals-group.com
signal-security.site
signal-group.site
signal-security.online
add-signal-group.com

APT Groups4

Turla GroupRussian Federation

Summary of Actor:Turla Group, also known as Snake or Uroburos, is a sophisticated Russian-speaking cyber-espionage group. It has been active since at least 2004 and is known for targeting government, military, and diplomatic sectors globally. The group employs advanced malware and stealth techniques to maintain long-term access to target networks. General Features:Turla is known for its sophisticated malware tools, such as Snake, Turla, and Carbon. They use watering hole attacks, spear-phishing emails, and custom malicious software. The group operates with strategic goals, often aligned with Russian geopolitical interests. Related Other Groups: APT28,APT29,Dragonfly Indicators of Attack (IoA): Unusual DNS queries Suspicious network traffic patterns Usage of PowerShell and other scripting tools Malicious Office Document attachments Usage of compromised infrastructure for C2 servers Recent Activities and Trends: Latest Campaigns : In recent years, Turla has been observed leveraging COVID-19 themes in spear-phishing campaigns. They have also been linked to attacks on European governments and institutions, emphasizing their focus on political espionage. Emerging Trends : Turla has been increasingly using cloud services for Command-and-Control (C2) infrastructure, as well as evolving their malware to evade modern detection mechanisms.

TurlaATK13Blue PythonG0010Group 88Hippo TeamIRON HUNTERITG12KRYPTONMAKERSMARKPacifier APTPfinetPopeyeSIG23SUMMITSecret BlizzardSnakeTAG_0530UAC-0003UAC-0024UAC-0144UNC4210UroburosVENOMOUS BearWRAITHWaterbug
ELECTRUMRU

Summary of Actor:ELECTRUM is a sophisticated and highly capable threat actor group believed to operate out of Russia. They are primarily known for their association with the infamous destructive malware attacks like NotPetya. The group is believed to have ties with Sandworm Team. General Features:ELECTRUM is characterized by their use of custom-built malware and zero-day exploits. They are known for highly coordinated and destructive cyber attacks targeting critical infrastructure, particularly in Ukraine. ELECTRUM leverages spear-phishing and other social engineering techniques to gain initial access. Related Other Groups: Sandworm Team,TeleBots,APT28 Indicators of Attack (IoA): Suspicious network traffic to uncommon domains Use of custom malware such as Industroyer and NotPetya Unexpected system reboots or crashes Unauthorized access to admin credentials Recent Activities and Trends: Latest Campaigns : Recently, ELECTRUM has been linked to a series of attacks targeting electrical grid operators in Ukraine, resulting in temporary power outages and operational disruptions. The use of sophisticated spear-phishing campaigns was noted in these attacks. Emerging Trends : There has been an observable shift towards targeting critical infrastructure outside of Ukraine, including sectors like healthcare and financial services. An increase in the use of ransomware tactics also indicates a possible pivot to financially motivated attacks.

APT44Blue EchidnaSandwormFROZENBARENTSG0034IRIDIUMIRON VIKINGQuedaghSeashell BlizzardTEMP.NobleTeleBotsUAC-0082UAC-0113VOODOO BEAR
GhostwriterBY

Summary of Actor:Ghostwriter is a cyber espionage campaign attributed to threat actors tied to Belarus with suspected associations to Russia. They are known for influencing operations that focus on forging documents and spreading disinformation to undermine political stability. General Features:Ghostwriter typically engages in disinformation campaigns and military espionage, notably through credential phishing, website impersonation, and other malicious cyber activities aimed at information theft and manipulation. Related Other Groups: APT28,UNC1151 Indicators of Attack (IoA): Credential phishing Document forgery Website defacement Disinformation campaigns Recent Activities and Trends: Latest Campaigns : Recently, Ghostwriter has been linked to phishing campaigns targeting NATO members and European governments, in addition to defacing news websites to spread false information. Emerging Trends : Increasing focus on disinformation campaigns aimed at discrediting political opponents and unrest creation within Europe, including leveraging social media platforms to amplify their messages.

DEV-0257PUSHCHAStorm-0257TA445UAC-0057UNC1151
UAC-0185RU

<p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Overview</strong> UAC-0185 is a Russia-linked cyber espionage threat actor active since at least 2022. The group primarily conducts phishing campaigns targeting Ukrainian defense organizations and military personnel to steal credentials from messaging applications and specialized military systems.</p> <p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Key Characteristics</strong></p> <ul dir="auto" node="[object Object]"> <li node="[object Object]">Sophisticated spear-phishing with tailored lures impersonating legitimate Ukrainian entities.</li> <li node="[object Object]">Focus on credential theft from secure communication tools and defense-specific platforms.</li> <li node="[object Object]">Limited use of remote access tools for deeper system compromise.</li> <li node="[object Object]">Alignment with Russian intelligence interests in disrupting Ukrainian military capabilities.</li> <li node="[object Object]">Evolution of phishing infrastructure and delivery methods over time.</li> </ul> <p dir="auto" node="[object Object]" style="white-space-collapse: preserve;"><strong node="[object Object]">Indicators of Attack</strong></p> <ul dir="auto" node="[object Object]"> <li node="[object Object]">Phishing emails disguised as official invitations or communications from defense-related organizations.</li> <li node="[object Object]">Malicious links or attachments leading to credential harvesting pages or malware downloads.</li> <li node="[object Object]">Targeting of accounts in Signal, Telegram, WhatsApp, and systems like DELTA, TENETA, and Kropyva.</li> <li node="[object Object]">Deployment of remote access tools on compromised endpoints.</li> <li node="[object Object]">Use of compromised legitimate servers for email distribution.</li></ul>

UNC4221

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION/DETECTION

Technique

Tactic

Detection Strategy

Strategy Name

Analytic

Analytic Description

T1566.002

Spearphishing Link

TA0001

 Initial Access

DET0107

Detection Strategy for Spearphishing Links

AN0298

Windows

Correlation of inbound messages with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains; malicious URL delivered, user click recorded, browser process spawned.

T1566.003

Spearphishing via Service

TA0001

 Initial Access

DET0115

Detection Strategy for Spearphishing via a Service across OS Platforms

AN0320

Windows

Spearphishing attempts delivered via third-party messaging services leading to malicious file downloads or browser-initiated script execution; correlate external-service logins and unexpected navigation.

T1598.003

Spearphishing Link

TA0043

 Reconnaissance

DET0878

Detection of Spearphishing Link

AN2010

PRE

Monitor for suspicious message activity such as many accounts receiving messages from a single unknown sender; DKIM/SPF and header analysis help detect spoofed senders.

T1684.001

Impersonation

TA0005

 Stealth

DET0286

Detection Strategy for Impersonation

AN0792

Windows

Detect messages where the sending account or display name (e.g. fake 'Signal Support') does not match the underlying address, and abnormal volumes of support-themed lures.

T1204.001

Malicious Link

TA0002

 Execution

DET0066

User Execution - Malicious Link

AN0178

Windows

Behavioral chain: a user-facing app handles a link, the same process lineage makes an outbound connection to an untrusted domain, then a file is downloaded or a device-linking URI is invoked.

T1111

Multi-Factor Authentication Interception

TA0006

 Credential Access

DET0246

Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying

AN0687

Windows

Behavior chain involving capture of one-time codes / verification PINs and reuse of intercepted authentication material from sessions not initiated by local user interaction.

T1098.005

Device Registration

TA0003

 Persistence

DET0036

Suspicious Device Registration via Entra ID or MFA Platform

AN0103

Identity Provider

Adversary registers a new device to a compromised account to gain persistent access; detect anomalous device-link / enrolment events on the account.

T1005

Data from Local System

TA0009

 Collection

DET0380

Detection of Local Data Collection Prior to Exfiltration

AN1070

Windows

Local files collected via PowerShell, WMI, or direct file API calls, with recursive listings, targeted reads (e.g. Signal db.sqlite / config.json) and temporary staging.

T1059.001

PowerShell

TA0002

 Execution

DET0455

Abuse of PowerShell for Arbitrary Execution

AN1252

Windows

Behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules, potentially followed by network connections (Turla Signal-theft script).

T1059.003

Windows Command Shell

TA0002

 Execution

DET0202

Behavioral Detection of Windows Command Shell Execution

AN0578

Windows

Interactive or scripted abuse of cmd.exe / batch files (e.g. WAVESIGN, Robocopy staging); focus on anomalous parent-child relationships and command-line parameters.

T1567.002

Exfiltration to Cloud Storage

TA0010

 Exfiltration

DET0570

Detection Strategy for Exfiltration to Cloud Storage

AN1571

Windows

Unusual processes accessing large local files then initiating HTTPS requests to cloud-storage domains; Rclone uploads of Signal database content (WAVESIGN).

T1119

Automated Collection

TA0009

 Collection

DET0186

Automated File and API Collection Detection Across Platforms

AN0531

Windows

Automated execution of native utilities/scripts to discover and harvest files periodically (e.g. WAVESIGN repeatedly querying the Signal database).

T1074.001

Local Data Staging

TA0009

 Collection

DET0261

Detection of Local Data Staging Prior to Exfiltration

AN0724

Windows

File reads across locations followed by writes to temp/staging directories, often compressed or encrypted, prior to exfiltration (Robocopy staging of Signal directories).

Observed Countries5

FR (852)
GE (7)
MD (617)
UA (394)
US (556)