Russian Hackers Target Signal and WhatsApp Users in Global Cyber Campaign
Russian state-sponsored hackers are conducting a widespread cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel, civil servants, and individuals of interest, including journalists. Dutch intelligence and security services, the MIVD and AIVD, confirmed the ongoing attacks, which aim to compromise accounts and extract sensitive information.
How the Attacks Operate
The primary method used by the hackers involves impersonating Signal Support chatbots to trick users into revealing their security verification codes and PINs. Once obtained, these codes allow the attackers to take control of the user’s account. Another tactic, frequently observed on WhatsApp, exploits the “linked devices” feature, enabling unauthorized access to accounts via linked devices through phishing links or QR codes.
Once an account is compromised, hackers can read incoming messages, including those within group chats. The AIVD and MIVD believe that sensitive information has already been accessed through this campaign. Source
Why Signal is a Target
Despite employing end-to-end encryption, Signal is a prime target due to its reputation as a secure and reliable communication channel, particularly favored by governments seeking to protect internal communications. This very security makes it an attractive platform for malicious actors attempting to intercept sensitive data. Source
Broader Russian “Hybrid Activity”
This cyber campaign is part of a broader increase in Russian “hybrid activities” targeting European countries, including cyber attacks, disinformation campaigns, and sabotage. Russia has been linked to activities such as blocking flight paths with drones, sabotaging undersea cables, and deploying incendiary devices on planes. Within the Netherlands, Russia is suspected of conducting cyber attacks and preparing to sabotage critical infrastructure. Source
Previous Phishing Attempts and Warnings
Warnings about phishing attempts targeting Signal and WhatsApp users were initially reported several weeks ago. In January, the German Federal Office for Information Security (BSI) and the journalist organization “Network Research” alerted users to the phishing method. Dozens of investigative journalists from prominent media outlets, including ARD, ZDF, “Zeit,” “Correctiv,” and “Euractiv,” were reportedly targeted, as were representatives from civil society organizations and legal professionals. Source
Protecting Your Account
- Never interact with alleged security bots: Do not engage with any chatbot claiming to be Signal or WhatsApp support, and never share verification codes or PINs.
- Enable Registration Lock (Signal): Activate this feature under “Settings” and “Account” to require your Signal PIN when registering your phone number on a new device.
- Enable Two-Factor Authentication (WhatsApp): Activate this feature in your account settings and provide an email address for PIN reset.
- Review Linked Devices: Regularly check your account settings to identify and remove any unknown or unauthorized linked devices.
- Report Compromises: If you believe your account has been compromised, re-register with Signal or WhatsApp using your mobile phone number. However, be aware that attackers may attempt to change the associated phone number, potentially leading to irreversible account loss.
- Inform Contacts: If your account is compromised, immediately notify your contacts, especially if sensitive information has been exchanged.
Signal has stated it is taking the incidents “very seriously,” but emphasizes that the security of the platform itself has not been compromised. The attacks target individual user accounts by exploiting legitimate security features. Source
The AIVD and MIVD advise that messaging services like Signal and WhatsApp are not suitable for transmitting state secrets due to the vulnerability of individual accounts. Source
Keep reading