Russian Hackers Exploit Signal and WhatsApp to Target Global Officials and Journalists
In a recent disclosure, Dutch intelligence agencies have unveiled a comprehensive cyber espionage campaign orchestrated by Russian state-sponsored hackers. This operation primarily targets users of encrypted messaging platforms Signal and WhatsApp, focusing on government and military officials, as well as journalists worldwide.
The Netherlands’ Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) have detailed this extensive hacking initiative. The attackers employ sophisticated phishing and social engineering tactics to compromise accounts on these secure communication platforms.
Signal Account Compromise:
The hackers impersonate Signal’s support team, sending direct messages to potential victims. These messages often contain alerts about suspicious activities, potential data breaches, or unauthorized access attempts. Unsuspecting users are then prompted to provide a verification code received via SMS—initiated by the attackers themselves through Signal’s system—and their personal PIN code.
With these credentials, the attackers can register a new device under the victim’s account, effectively impersonating them and gaining access to their contacts. Consequently, the legitimate user is locked out but can re-register their number. However, since Signal stores chat histories locally, re-registration allows users to regain access to past conversations, potentially leading them to believe their account remains uncompromised. The Dutch agencies caution that this assumption may be misleading.
It’s crucial to note that Signal does not offer support directly through the app. Additionally, when a new device is added to a Signal account, it typically does not have access to previous messages.
WhatsApp Account Compromise:
In the case of WhatsApp, the attackers exploit the Linked Devices feature, which permits users to access their accounts from secondary devices like laptops or tablets. By deceiving targets into scanning malicious QR codes or clicking on harmful links, the hackers can link their device to the victim’s account. Unlike Signal, this method allows attackers to access past messages. Victims might remain unaware of the breach, as they do not get logged out of their accounts.
Meta, WhatsApp’s parent company, advises users never to share their six-digit verification code with anyone. They also provide resources to help users recognize suspicious messages and understand the Linked Devices feature.
Broader Implications:
This campaign is part of a series of cyberattacks attributed to Russian government-backed groups. For instance, in 2024, Russian hackers exploited vulnerabilities in Cisco routers to target U.S. government agencies. Similarly, in 2023, Russian and Chinese-backed hackers exploited a vulnerability in the WinRAR software.
These incidents underscore the persistent and evolving nature of cyber threats posed by state-sponsored actors. Users of encrypted messaging platforms are urged to remain vigilant, verify the authenticity of support messages, and avoid sharing verification codes or personal information.
