Full Report
Russian-backed hackers have launched a global cyber campaign to gain access to Signal and WhatsApp accounts used by officials, military personnel and journalists, two intelligence agencies in the Netherlands warned on Monday. Users are persuaded in chats initiated by the hackers to divulge security verification and pin codes, giving them access to personal accounts and…
Analysis Summary
# Threat Actor: Unnamed Russian-Backed Group
## Attribution & Identity
* **Attribution:** Russian state-sponsored actors (confirmed by AIVD and MIVD).
* **Known Aliases:** Not explicitly named in the report, though Russian-backed intelligence gathering is frequently associated with groups like APT28 (Fancy Bear) or APT29 (Cozy Bear).
* **Associated Groups:** Linked to Russian Intelligence Services.
## Activity Summary
In March 2026, the Dutch intelligence agencies (AIVD and MIVD) issued a warning regarding a global cyber campaign targeting end-to-end encrypted messaging platforms. The actors leverage social engineering to hijack personal accounts, allowing them to intercept sensitive communications and monitor group chat activity.
## Tactics, Techniques & Procedures
* **Social Engineering (Phishing):** Threat actors initiate direct chats with targets on Signal and WhatsApp.
* **Account Takeover (Credential Redirection):** Actors persuade victims to divulge security verification codes and PINs.
* **Interception:** Once access is gained, actors monitor private messages and participate silently in group chats.
* **MITRE ATT&CK IDs:**
* **T1566.003:** Phishing: Spearphishing via Service
* **T1456:** Multi-Factor Authentication Fraud
* **T1558:** Steal or Forge Authentication Certificates (applicable to session/token takeover)
## Targeting
* **Sectors:** Government, Military, Intelligence, and Media (Journalism).
* **Geography:** Global campaign; verified activity reported by the Netherlands.
* **Victims:** Government officials, military personnel, and journalists.
## Tools & Infrastructure
* **Social Media/Messaging Apps:** Signal and WhatsApp.
* **Malware:** No specific malware mentioned; the campaign relies on "living-off-the-land" social engineering and authentication bypass.
* **Infrastructure:** Not specified in the current briefing.
## Implications
This campaign represents a strategic shift toward compromising encrypted "out-of-band" communication channels. By gaining access to these accounts, Russian intelligence can bypass traditional enterprise security monitoring, access highly sensitive informal intelligence, and map out the social and professional networks of high-value targets. The breach of group chats is particularly damaging as it exposes multi-party deliberations.
## Mitigations
* **Two-Step Verification:** Users should enable app-specific PINs/Registration Locks and never share these codes with anyone, regardless of the sender's perceived identity.
* **Verification of Identity:** Personnel should use secondary channels to verify the identity of anyone asking for security-related information.
* **Security Training:** Targeted individuals (officials/journalists) should receive specialized training on "vishing" and social engineering tactics conducted through encrypted messaging apps.
* **Session Management:** Regularly audit "Linked Devices" in Signal and WhatsApp settings to ensure no unauthorized desktop or web sessions are active.