Full Report
Germany's domestic intelligence agency is warning of suspected state-sponsored threat actors targeting high-ranking individuals in phishing attacks via messaging apps like Signal. [...]
Analysis Summary
# Threat Actor: Suspected State-Sponsored Actors (General Designation)
## Attribution & Identity
* **Identification:** Suspected state-sponsored threat actors.
* **Known Aliases/Associations:** The advisory is based on intelligence collected by Germany's Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI). While the current campaign is broadly attributed to state actors, the article notes that similar techniques (QR code pairing) were previously employed by Russian state-aligned groups such as Sandworm.
## Activity Summary
The actors are engaged in a current phishing campaign targeting high-ranking individuals in Germany and across Europe via secure messaging apps, primarily Signal. The objective is to gain covert access to private communications (one-to-one and group chats) and contact lists.
## Tactics, Techniques & Procedures
* **Technique Focus:** Social engineering and abuse of legitimate platform features; **no traditional malware or exploitation** of platform vulnerabilities is used.
* **Account Takeover (Variant 1):** Impersonate Signal support, send a fake security warning to induce urgency, and trick the target into sharing their Signal PIN or an SMS verification code, leading to full account hijacking and victim lockout.
* **Account Monitoring (Variant 2):** Impersonate support or use a plausible ruse to convince the target to scan a QR code, abusing Signal’s legitimate linked-device feature to pair the account with the attacker’s device for monitoring access.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text. (Note: T1566.002 - Phishing: Spearphishing Link, T1566.001 - Phishing: Spearphishing Attachment, and T1598.003 - Spearphishing for Harvesting)
## Targeting
* **Sectors:** Politics, Military, Diplomacy, Investigative Journalism.
* **Geography:** Germany and across Europe.
* **Victims:** High-ranking individuals within the targeted sectors (politicians, military officers, diplomats, investigative journalists).
## Tools & Infrastructure
* **Malware Families Used:** None mentioned (attacks rely purely on social engineering/platform features).
* **Infrastructure:** The attack relies on direct communication within the messaging application itself, impersonating support services. No external C2 infrastructure is explicitly detailed for this specific German advisory.
## Implications
This activity highlights a sophisticated shift toward abusing the trust inherent in encrypted messaging services, using zero-malware social engineering to achieve persistent access. The attacks bypass traditional endpoint security controls by leveraging legitimate client functionality (PIN confirmation or QR code linking). Successful compromise grants state-sponsored actors deep insight into sensitive diplomatic, political, and military communications.
## Mitigations
* Avoid replying to Signal messages claiming to be from support accounts, as Signal never contacts users directly.
* Block and report alleged support accounts immediately.
* Enable Signal’s **‘Registration Lock’** feature (Settings > Account) which requires a PIN for future registration on new devices.
* Regularly review the list of attached devices under Signal Settings → Linked devices and remove unrecognized entries.
* Users of other platforms with linking features (e.g., WhatsApp) should exercise similar vigilance.