Key Findings

• Dutch intelligence agencies AIVD and MIVD warn of a large-scale global cyber campaign by Russia-linked threat actors targeting Signal and WhatsApp accounts of government officials, military personnel, and journalists.

• The attackers are using social engineering tactics rather than exploiting app vulnerabilities - they impersonate Signal support bots and abuse legitimate features like "linked devices" to hijack accounts.

• Once they gain access, the hackers can read all messages and participate in group chats without the users' knowledge, potentially exposing sensitive government and military communications.

• The targeting of these encrypted messaging apps is driven by their widespread use for sensitive communications due to their reputation for privacy and security.

Background

The Dutch intelligence services AIVD and MIVD have issued an alert about a global operation by Russian state-backed hackers to compromise the Signal and WhatsApp accounts of high-value targets such as government officials, civil servants, and military personnel. This effort highlights the growing cyber risks to sensitive communications among national security actors.

The agencies state that the hackers are not exploiting technical vulnerabilities in the apps themselves, but rather using social engineering techniques to trick users into granting them access. This includes impersonating Signal support chatbots and abusing features like "linked devices" to hijack accounts without the owners' knowledge.

Once an account is compromised, the hackers can gain full access to the user's private messages, group chats, and other communications - potentially exposing sensitive government or military information to Russian intelligence.

Tactics and Techniques

• Impersonating Signal support chatbots to trick users into providing verification codes

• Exploiting the "linked devices" feature to link victim accounts to attacker-controlled devices

• Crafting malicious QR codes disguised as legitimate Signal resources to enable remote account linking

• Changing display names of compromised accounts to "Deleted account" to avoid detection

• Joining groups via shared Group Links to blend in with legitimate members

Targeted Sectors

• Government officials and civil servants

• Military and defense personnel

• Journalists and other individuals of interest to the Russian government

Recommendations

• Signal and WhatsApp users, especially those in sensitive government or military roles, should be extremely cautious about requests for verification codes or instructions to link new devices.

• Carefully monitor group chats for signs of compromise, such as duplicate accounts or name changes.

• Report any suspicious activity to your organization's information security team.

• Consider using authorized, government-approved communication channels for sensitive information rather than consumer messaging apps.

Expert Commentary

"These consumer apps aren't designed with state-level security in mind. Unlike official government systems, they cannot be easily monitored for unauthorized access. Compromised accounts can also be used as a staging platform for further attacks."

• Ben Clarke, SOC Manager at CybaVerse

"The tactics, techniques, and procedures used to target Signal will likely be prevalent in the near term and spread to other regions beyond Ukraine as Russian actors seek to expand their access to sensitive communications."

• Google Threat Intelligence Group

Sources

• https://hackread.com/dutch-intel-russia-hackers-hijack-signal-whatsapp-attacks/

• https://securityaffairs.com/189156/intelligence/russia-linked-hackers-target-signal-whatsapp-of-officials-globally.html

• https://www.socdefenders.ai/item/5602b60d-fdee-4ad1-a020-7af4bbfd21af

• https://www.instagram.com/p/DVqlc6dEfwX/

• https://www.facebook.com/techcrunch/posts/dutch-intelligence-is-accusing-russia-backed-hackers-of-running-a-large-scale-gl/1278347067492491/