Full Report
Russian state-sponsored hackers have been linked to an ongoing Signal and WhatsApp phishing campaign targeting government officials, military personnel, and journalists to gain access to sensitive messages. [...]
Analysis Summary
# Threat Actor: Unnamed Russian State-Sponsored Group (Associated with APT44/Sandworm or benzer activities)
## Attribution & Identity
- **Identification:** Russian state-sponsored hackers.
- **Aliases:** While the article does not name a specific APT, it references historical activities by Russian threat actors (previously linked by Google to campaigns targeting Signal) often associated with groups like APT44 (Sandworm) or ColdRiver (UNC4034).
- **Known Associations:** Russian Intelligence Services (linked via the Dutch MIVD and AIVD report).
## Activity Summary
- **Current Campaign:** An ongoing sophisticated phishing and social engineering operation (observed in early 2026) targeting mobile messaging platforms.
- **Objective:** Account hijacking and covert monitoring of sensitive communications.
- **Method:** Abusing legitimate authentication and device-linking features of Signal and WhatsApp.
## Tactics, Techniques & Procedures
- **Social Engineering:** Impersonating "Signal Security Support Chatbots" to notify users of "suspicious activity" to create urgency.
- **OTP/SMS Interception/Phishing:** Tricking victims into providing SMS verification codes and Signal PINs.
- **Device Linking Abuse:** Sending malicious QR codes or links disguised as group chat invitations to link the attacker’s device to the victim’s account.
- **Account Transition:** Changing the telephone number associated with a compromised Signal account to an attacker-controlled number to maintain persistence.
- **Impression Management:** Allowing victims to re-register accounts so they see their local chat history, leading them to believe no breach occurred while the attacker remains linked or in control of the metadata.
- **MITRE ATT&CK Mapping:**
- **T1566.003:** Phishing: Voice/SMS (Smishing)
- **T1098:** Account Manipulation
- **T1585:** Establish Accounts (impersonating support)
- **T1528:** Steal Application Access Token (linking devices)
## Targeting
- **Sectors:** Government, Military, and Journalism.
- **Geography:** Netherlands (confirmed), Czechia (potential historical/related activity), and likely broader NATO/European regions.
- **Victims:** Dutch government employees, military personnel, and journalists.
## Tools & Infrastructure
- **Platforms Exploited:** Signal and WhatsApp.
- **Malware:** No specific malware payload mentioned; the attack utilizes **Living-on-the-Land (LotL)** techniques via legitimate app features.
- **Infrastructure:**
- Fake "Signal Security Support Chatbot" profiles.
- Malicious QR codes.
- Attacker-controlled telephone numbers for account migration.
## Implications
This campaign demonstrates a strategic pivot by Russian intelligence to bypass end-to-end encryption (E2EE) not by breaking the encryption itself, but by compromising the **endpoints** and **session management**. By gaining access to Signal and WhatsApp, actors can monitor real-time strategic discussions, identify sources (in the case of journalists), and track the movements of military/government officials. The ability to remain "invisible" through device linking presents a high risk for long-term intelligence collection.
## Mitigations
- **Verify Linked Devices:** Regularly check `Settings > Linked Devices` in Signal and WhatsApp and remove any unrecognized sessions.
- **SMS/PIN Hygiene:** Never share SMS verification codes or App PINs with any entity, even those claiming to be "support."
- **QR Code Caution:** Do not scan QR codes or click account-linking links received via unsolicited messages.
- **Out-of-Band Verification:** If a contact or "support" reaches out with an unusual request, verify their identity through a different trusted communication channel.
- **Information Policy:** Dutch intelligence advises against sharing sensitive or classified information via consumer messaging apps unless specifically authorized.